Deploying an IAST agent for microservices on Kubernetes

AppScan supports automatic installation of the IAST agent on a Kubernetes cluster. Using a MutatingAdmissionWebhook, the IAST agent is automatically installed in any starting pod. You can install or remove the agent using Helm or Webhook scripts.

About this task

Illustration of the steps for installing an IAST agent on Kubernetes, with support for Java, .NET, and Node.js applications.

Image showing installation on Kubernetes

General instructions

Procedure

  1. Download the agent:

    Download the ASoC Kubernetes IAST agent, as described here, and extract the contents of the ZIP file.

  2. Install the IAST agent in the cluster:

    The agent can be installed in one or more namespaces. A MutatingAdmissionWebhook is deployed, which automatically injects the IAST agent into every new pod created in the selected namespaces. If no namespace is specified, the default namespace is used.

  3. Restart existing pods:

    After installation, restart any running pods in the target namespaces to ensure the IAST agent is injected.

  4. Viewing Pod Names in Issues:

    Pod names for reported issues are available under Additional Info in the Issue Details tab.

  5. Optional: The following optional features are available:
    1. Custom agent configuration: Use it to exclude specific pods.
    2. IAST Analyzer: Provides a complete service graph view and reduces false positives. Currently supported for Node.js and .NET only.

      Service graph showing command injection issue in Kubernetes pods.

Helm-based installation

About this task

To install or uninstall the IAST agent in your Kubernetes cluster using the helm chart, follow these steps.

Procedure

  1. Install the IAST agent:

    Install the IAST agent as described below. After installation, restart any running pods in the target namespaces to complete the installation.

    1. Install in the default namespace:

      helm install secagent helm-secagent --wait

    2. Install in one or more namespaces: 
      helm install secagent helm-secagent --wait --set 
                    config.namespaceConfig.namespaces={my-namespace,my-second-namespace}
    3. Optional: Install with the Analyzer enabled: 
      helm install secagent helm-secagent --wait \
                  --set config.namespaceConfig.namespaces={my-namespace} \
                  --set analyzer.enabled=true
  2. Uninstall the IAST agent: Run this command:

    helm uninstall secagent

    This removes the Helm release named secagent. Then restart all running pods to complete the removal.

    For advanced configuration and full documentation, see helm-secagent/README.md.

Script-Based Installation

About this task

To install or uninstall the IAST agent in your Kubernetes cluster using the scripts, follow these steps.

Procedure

  1. Install the IAST agent:

    Install the IAST agent as described below. After installation, restart any running pods in the target namespaces to complete the installation.

    1. Install in the default namespace:

      ./install-secagent-webhook.sh

    2. Install in one or more namespaces: 
      ./install-secagent-webhook.sh -n my-namespace -n my-second-namespace
    3. Optional: Install with the Analyzer enabled: 
      ./install-secagent-webhook.sh -n my-namespace --with-analyzer
  2. Uninstall the IAST agent: Run this command:

    ./uninstall-secagent-webhook.sh

    After script execution is complete, restart all running pods to complete the removal.

Excluding a pod from IAST installation

Procedure

  1. Exclude a specific pod in an included namespace.

    Add the label skip-iast-webhook="true" to the pod’s YAML configuration.

    Any new pod created with this label is ignored by the IAST mutating webhook.
  2. To include the pod again, remove the label or set it to false, then restart the pod.