Skip to content

Contrast-Security-OSS/demo-k8s-operator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
apps
apps
 
 
terraform-aks
terraform-aks
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
config-template.yaml
config-template.yaml
 
 

Repository files navigation

Contrast Agent Operator Demo

This repo includes examples of how to create a Kubernetes cluster, deploy the Contrast Agent Operator and some known vulnerable applications. Typical deployment times:

  • AKS - 5 mins
  • EKS - 20 mins

Deploying on Azure/AKS

This deployment will typically take ±5 minutes.

Pre-requisites for Azure/AKS

  1. Install Terraform from here: https://www.terraform.io/downloads.html.
  2. Install the Azure cli tools using brew update && brew install azure-cli.
  3. Install kubectl using brew update && brew install kubectl.

Steps for Azure/AKS

  1. Change directory to the AKS folder

  2. If your Azure CLI is not authenticated then log into the Azure (az login) to cache your credentials.

  3. Create a terraform.tfvars file to add your initials and preferred Azure location, for example:

     location="UK South"
 initials="da"

  4. Run terraform init to download the required plugins.

  5. Run terraform apply to deploy a new cluster.

  6. Grab your AKS credentials for kubectl:

     az aks get-credentials --resource-group $(terraform output resource_group_name | tr -d '"') --name $(terraform output kubernetes_cluster_name | tr -d '"')

  7. Deploy the operator and demo apps.

  8. View the Kubernetes dashboard (optional):

     az aks browse --resource-group $(terraform output resource_group_name | tr -d '"') --name $(terraform output  kubernetes_cluster_name | tr -d '"')

  9. After your demo, run terraform destroy --auto-approve to remove all resources.

Deploying on AWS/EKS

Pre-requisites for AWS/EKS

  1. Install kubectl using brew update && brew install kubectl.
  2. Install the AWS CLI using brew update && brew install awscli.
  3. If your AWS CLI is not authenticated then run (aws configure) to cache your credentials.
  4. Install eksctl using brew update && brew install eksctl.

Steps for AWS/EKS

  1. Create a K8S cluster using eksctl create cluster --name sales-engineering-da --region us-east-2
  2. Grab your EKS credentials for kubectl: aws eks update-kubeconfig --region us-east-2 --name sales-engineering-da
  3. After your demo, run eksctl delete cluster --name sales-engineering-da --region us-east-2 to remove all resources.

Installing the Contrast Agent Operator

  1. Install the operator:

     kubectl apply -f https://github.com/Contrast-Security-OSS/agent-operator/releases/latest/download/install-prod.yaml

  2. Configure the operator using one of the two options below:

Express Configuration

  1. Rename the config-template.yaml to config.yaml and add your agent credentials on lines 9-11. This file includes agent injectors for all languages.
  2. Run kubectl apply -f config.yaml

Step by Step Configuration

  1. Configure the operator credentials:

     kubectl -n contrast-agent-operator create secret generic default-agent-connection-secret --from-literal=apiKey=TODO --from-literal=serviceKey=TODO --from-literal=userName=TODO

  2. Create a ClusterAgentConnection:

    kubectl apply -f - <<EOF
apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConnection
metadata:
  name: default-agent-connection
  namespace: contrast-agent-operator
spec:
  template:
    spec:
      url: https://eval.contrastsecurity.com/Contrast
      apiKey:
        secretName: default-agent-connection-secret
        secretKey: apiKey
      serviceKey:
        secretName: default-agent-connection-secret
        secretKey: serviceKey
      userName:
        secretName: default-agent-connection-secret
        secretKey: userName
EOF

  3. Create an AgentInjector (this should be done per target language - example is for Java):

    kubectl apply -f - <<EOF
apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentInjector
metadata:
  name: contrast-agent-injector
  namespace: default
spec:
  type: java
  selector:
    labels:
      - name: contrast
        value: java
EOF

Deploying Applications

  1. Make sure you have the relevant agent injector created and deploy vulnerable applications from the apps folder, e.g.: kubectl apply -f /apps/webgoat.yaml

  2. Visit your application in the browser via the external IP. Remember to add /WebGoat (or equivalent): kubectl get services

Troubleshooting

Troubleshoot the Application

  1. Check the app has the correct Contrast annotations: kubectl describe Deployment/webgoat

  2. Check if Contrast is mentioned in the application logs: kubectl -n default logs Deployment/webgoat

  3. Show logging from the init container on the pod: kubectl logs Deployment/webgoat -c contrast-init

Troubleshoot the Agent Operator

  1. Check the operator is running: kubectl -n contrast-agent-operator get pods

  2. Check the operator logs: kubectl logs -f deployment/contrast-agent-operator --namespace contrast-agent-operator

  3. If you don't have operator logs, check everything is configured:

     kubectl get all,secrets,clusteragentconfiguration,clusteragentconnection --namespace contrast-agent-operator

  4. Elevate the operator logging:

     kubectl -n contrast-agent-operator set env deployment/contrast-agent-operator CONTRAST_LOG_LEVEL=Trace

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages