Installing scan agents via Kubernetes and OpenShift

The Acunetix 360 scan agent runs in any Kubernetes environment, saving you time by eliminating driver and kernel installations. This document explains how to install the scan agent in Kubernetes and OpenShift Clusters. If you are using Docker, refer to Installing a scan agent via Docker.

PREREQUISITES:

  • Kubernetes Kubectl command line tool.
  • RedHat OpenShift command line tool.
  • Docker. To verify Docker installation on your OS, run the 'docker -v' command in Terminal. If you have Docker, Terminal shows the version information. Otherwise, it shows error messages. For more information about installing Docker, refer to the Docker website.

How to install a scan agent via Kubernetes and OpenShift

To install and run a scan agent in a Kubernetes environment, you need to:

  1. Pull the agent image
  2. Deploy the agent to a cluster

Pulling the agent image

There are two ways to pull and use the scanner image:

  1. Pull the image to your local environment and push it to your private registry.
  2. Pull the image from Invicti’s publicly available private registry (authentication required). You need to provide the token as a secret to the Kubernetes cluster. This way, your Kubernetes cluster can pull images from registry.invicti.com. Refer to this Kubernetes website for more information.

Option A: Pulling an image to your local environment

  1. In Acunetix 360, select Agents > Manage Agents from the left-side menu.
  2. Click Configure New Agent.

  1. Run the following command to authenticate the Invicti image registry (replace <registered-user-email> with the email address you use for your Acunetix 360 account.)

docker login -u <registered-user-email> registry.invicti.com

  1. When prompted for a password, copy and paste the password from Acunetix 360 using the copy button.

  1. Pull the agent version using the command from Acunetix 360.

docker pull registry.invicti.com/ie-agent:latest

  1. Wait for the system to load the agent image. Then, you can push the loaded image to any private registry for use by the Kubernetes clusters.

Option B: Pulling an image from registry.invicti.com directly to the Kubernetes cluster

  1. Define a secret in the Kubernetes cluster to authenticate Invicti’s registry.invicti.com. For more information, refer to this Kubernetes documentation.

Deploying the agent to a cluster

This section of the document contains instructions for deploying Kubernetes and OpenShift.

How to deploy to a Kubernetes cluster

  1. Create a new namespace called 'invicti'.

kubectl create ns invicti

  1. Update the 'deployment.yaml' file with your specific values. The following deployment.yaml is a sample that you can use.

---

apiVersion: apps/v1

kind: Deployment

metadata:

  namespace: invicti

  labels:

    app: invicti-netsparker-scanner

  name: invicti-netsparker-scanner

spec:

  replicas: 1

  selector:

    matchLabels:

      app: invicti-netsparker-scanner

  template:

    metadata:

      labels:

        app: invicti-netsparker-scanner

    spec:

      containers:

        - name: invicti-netsparker-scanner

          image: <image registry>:<tag>

          imagePullPolicy: IfNotPresent

          env:

          - name: ApiToken

            value: "<Enter your Agent token>"

          - name: ApiRootUrl

            value: "<Enter your Api Root URL>"

          - name: AgentName

            valueFrom:

              fieldRef:

                fieldPath: metadata.name

          - name: AgentMode

            value: "Scanner"

          - name: IgnoreSslCertificateErrors

            value: "false"

          resources:

            limits:

              cpu: 2000m

              memory: 8Gi

            requests:

              cpu: 1000m

              memory: 4Gi

Environment Variables

  • AgentName: The AgentName can be anything. It will be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you will need these later.)
  • ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)

  • ApiRootUrl: This is the URL of Acunetix 360 On-Demand or Acunetix 360 On-Premises.
  • AgentMode: Indicates the agent’s process type as Scanner or Verifier.
  • IgnoreSslCertificateErrors: This would ignore SSL certificate errors on the scan target website.

  1. Apply manifests to your clusters by running the following commands:

kubectl apply -f deployment.yaml

kubectl get pod -n invicti

You have now installed the scanner agent. To check its status in Acunetix 360, go to Agents > Manage Agents.

You can now initiate a scan using the installed scanner agent. Navigate to Scans > New Scan, and choose a target with the agent mode set to Internal. You can also configure other necessary settings, including selecting the specific agent to conduct the scan on the target.

How to deploy to an OpenShift cluster

  1. Log in to the OpenShift cluster by running the command below.

oc login <cluster_url> --username <username> --password <password>

  1. Create a new project called 'invicti' by running the command below.

oc new-project invicti

  1. Log in to Docker by running the command below.

docker login -u <username> -p $(oc whoami -t) $(oc registry info)

  1. Tag the image you downloaded in the previous steps by running the command below.

docker tag registry.invicti.com/ie-opsh-agent:latest <your_openshift_registry:tag>

  1. Push the Docker image to the OpenShift registry by running the command below.

docker push <your_openshift_registry:tag>

  1. Create the 'deployment.yaml' file and populate the AgentName, ApiToken, and ApiRootUrl parameters.
  • AgentName: The AgentName can be anything. It will be displayed when you start a new scan. (If you plan to install more than one agent instance, set a unique 'AgentName' value for each instance, as you will need these later.)
  • ApiToken: The Agent Token is displayed on the Configure New Agent page. Copy this value into the ApiToken. (Select Agents > Manage Agents from the left-side menu and click Configure New Agent. In the Agent Token field, select Copy to clipboard.)

  • ApiRootUrl: This is the URL of Acunetix 360 On-Demand or Acuneyix 360 On-Premises.

The following 'deployment.yaml' file is a sample that you can use:

---

apiVersion: apps/v1

kind: Deployment

metadata:

  namespace: invicti

  labels:

    app: invicti-netsparker-scanner

  name: invicti-netsparker-scanner

spec:

  replicas: 1

  selector:

    matchLabels:

      app: invicti-netsparker-scanner

  template:

    metadata:

      labels:

        app: invicti-netsparker-scanner

    spec:

      containers:

        - name: invicti-netsparker-scanner

          image: <Your agent image>

          imagePullPolicy: IfNotPresent

          env:

          - name: ApiToken

            value: “Enter a token”

          - name: ApiRootUrl

            value: "Enter a URL"

          - name: AgentName

            valueFrom:

              fieldRef:

                fieldPath: metadata.name

          - name: AgentMode

            value: "Scanner"

          - name: IgnoreSslCertificateErrors

            value: "false"

          resources:

            limits:

              cpu: 2000m

              memory: 8Gi

            requests:

              cpu: 1000m

              memory: 4Gi

  1. Apply manifests to your clusters by running these commands.

kubectl apply -f deployment.yaml

kubectl get pod

You have now installed the scanner agent. To check its status in Acunetix 360, go to Agents > Manage Agents.

You can now initiate a scan using the installed scanner agent. Navigate to Scans > New Scan, and choose a target with the agent mode set to Internal. You can also configure other necessary settings, including selecting the specific agent to conduct the scan on the target.

« Back to the Acunetix Support Page