contrast-agent-injector

module

v0.0.0-...-2509b82 Latest Latest Go to latest Published: Sep 10, 2021 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cbuto/contrast-agent-injector

Links

Open Source Insights

README ¶

Contrast Agent Injector

Contrast Agent Injector is a Mutating Admission Webhook that will inject a Contrast Agent into a Kubernetes Pods on creation to instrument the service running in the first container in the pod.

Supported Languages

Java

Getting Started

Helm Installation

To get started, you first need to deploy the agent injector service and webhook configuration into a cluster. Right now, the only supported option for that is via Helm. By default, the webhook will use a certificate generated by kube-webhook-certgen for TLS.

Create a Kubernetes Secret from a contrast_security.yaml file containing the required API keys

api:
  url: https://app.contrastsecurity.com/Contrast
  user_name: contrast_user
  api_key: demo
  service_key: demo

kubectl create secret generic contrast-agent-secret --from-file contrast_security.yaml

Update contrast.secretName in the values file to the name of the Secret you created previously (or leave the default)
Install the Helm chart (The chart isn't hosted in a Helm repo as of right now, so you'll need to clone this repo)

helm upgrade --install injector .

Enabling Agent Injection

Now that the contrast-agent-injector service is running inside the cluster, you can enable and configure your Pods to have the agent injected into them on creation.

Add the contrast-agent-injector: enabled label to the namespace that your services are running in (only Pods created in this namespace will have the specified agent injected)
Add the required annotations to a Pod (latest can be used for the agent version). See the examples folder.

contrast-agent-injector/version: <agent version>
contrast-agent-injector/language: java
contrast-agent-injector/enabled: <true|enabled>

Add the optional annotation (contrast-agent-injector/config) to the Pod in order to configure the agent further (See the Agent Configuration section for details)
When new pods are created with the annotations defined above, the contrast-agent-injector service will mutate the Pod spec to include the necessary configuration for instrumenting the service with the specified Contrast Agent.

Agent Configuration

In order to add additional configuration to the Pods that are annotated for injection, the contrast-agent-injector/config annotation accepts a comma separated list of key value pairs to inject as environment variables into the Pod. Find the configuration values supported for each agent here

Example

annotations:
    ...
    contrast-agent-injector/config: CONTRAST__SERVER__ENVIRONMENT=qa, CONTRAST__SERVER__NAME=webgoat-k8s
    ...

Current Limitations

Only supports injecting the agent into the first container in a Pod
Only supports agent configuration via environment variables using the contrast-agent-injector/config annotation

Directories ¶

Path	Synopsis
cmd
injector
pkg
webhooks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL