Skip to main content

Discovering Services with Kubernetes

Some environments use Kubernetes to orchestrate service deployment. IAST uses the Kubernetes API to fetch the deployed service details.

Connecting to a Kubernetes Cluster with IAST

Use the following steps to connect to a Kubernetes cluster from IAST:

  1. Browse to the Service Discovery page in the IAST portal to configure the Kubernetes endpoint.

    Service_Discovery.png

  2. Click Edit. The Edit Connection dialog opens.

  3. Use one of following methods to connect to the Kubernetes cluster:

    • Credentials, specify the following parameters:

      • Namespace – a Kubernetes namespace to get services from. Leave empty to get services from all namespaces

      • Cluster URL – Kubernetes API server URL

      • Username – a user with sufficient permissions to access the Kubernetes API server

      • Password – a password for that user.

    • API Key, specify the following parameters:

      • Namespace – Enter a specific Kubernetes namespace to get services from, or leave empty to get services from all namespaces

      • Cluster URL – Kubernetes API server URL

      • API Key – an API key with sufficient permissions to access the Kubernetes API server

    • Kube Config – This is the default option. CxIAST automatically uses the connection configuration from the Kubernetes configuration file in the file system (in ~/.kube/config, or $HOME/.kube/config), for example the following location in the local Windows installation:

      C:\Users\Lenovo\.kube\config

  4. Click Test, if you want to test the connection before saving it.

  5. Click Save.

Note

  • Connecting using Kube Config requires the HOME environment variable to be configured. If it is missing, the following environment variables will be used: HOMEDRIVE, HOMEPATH, USERPROFILE. If these variables are missing as well, the user.home Java system property will be used.

  • If the credentials or API key connection fails, CxIAST Manager will automatically revert to the Kube Config option.

  • If the Cluster URL uses HTTPS without a signed certificate, set KUBERNETES_TRUST_CERTIFICATES=true environment variable and restart CxIAST Manager.

Service Discovery Table

The deployed services are listed in the Service Discovery page of xIAST, as shown below:

Kubernetes_Conn_Status.png

  • Name specifies the name of the Kubernetes service as named in Kubernetes.

  • Namespace specifies the Kubernetes namespace in which this service is deployed.

  • Monitored Project specifies the IAST project with an attached agent) that was deployed using Kubernetes. The auto-matching mechanism compares the Name column to all monitored IAST projects to create a match. To manually match projects click the arrow in this field and select a project from the list (to un-match, select None.

  • Type specifies the Kubernetes service type (ClusterIP, LoadBalancer, etc.).

  • Cluster IP specifies the internal Kubernetes cluster IP adress of this service.

  • External IPs specifies the external IP addresses for this service.

  • Ports specifies the exposed ports for this service.

In this section: