This guide provides a working example of manually setting up and configuring the Contrast .NET Core agent within a Kubernetes environment. For the Contrast Agent Operator, see here.
This guide assumes you have a basic working knowledge of git, Docker and Kubernetes.
Prerequisites
- You will require access to a Kubernetes environment, either in the cloud (for example Amazon's EKS or Microsoft's AKS). Alternatively, you can set up a local Kubernetes environment. Two options are Docker Desktop and minikube.
- Clone the following GitHub repository that will be used in this tutorial:
git clone https://github.com/Contrast-Security-OSS/demo-netflicks.git
Building the .NET Core application's image with Contrast
Inspect the Dockerfile.contrast
, you should note a few sections where the Contrast agent is added:
Lines 12-17 utilizes a build stage to fetch in the latest Contrast .NET Core agent. as a Nuget package and unzips it to a temporary directory in the build image:
# Add contrast sensor package
ADD https://www.nuget.org/api/v2/package/Contrast.SensorsNetCore /tmp/contrast.sensorsnetcore.nupkg
RUN apt-get update \
&& apt-get install -y unzip \
&& unzip /tmp/contrast.sensorsnetcore.nupkg -d /tmp/contrast \
&& rm /tmp/contrast.sensorsnetcore.nupkg
Line 26 copies in the resulting directory from the build image to the final image.
COPY --from=publish /tmp/contrast /opt/contrast
For more details on adding the Contrast agent to your application/image. See our docker guide on the subject.
- In your terminal, navigate to the cloned repo's folder and run the following command to build the docker image with a tag that references your docker repository.
docker build -f Dockerfile.contrast . -t <your repo>/netflicks:contrast
- Push your image to the repo.
docker push <your repo>/netflicks:contrast
This image can be now be used in the Kubernetes deployment.
Setting up the Kubernetes environment
Create a secret for the agent's authentication credentials
Download a contrast_security.yaml
file from the Contrast UI to acquire the agent authentication credentials which will be used to create a secret in Kubernetes. The file will look like this:
api:
url: http(s)://<your contrast UI hostname>/Contrast #For example https://app.contrastsecurity.com/Contrast
api_key: <apiKey>
service_key: <serviceKey>
user_name: agent_<hashcode>@<domain>
Now generate a secret using this file as follows:
kubectl create secret generic contrast-security --from-file=./contrast_security.yaml
Looking at the application deployment file (k8s/netflicks_deployment.yaml
) you will see that this secret is already referenced and the file will be mounted under /etc/contrast/
:
...
volumeMounts:
- name: contrast-security
readOnly: false
mountPath: "/etc/contrast/"
...
volumes:
- name: contrast-security
secret:
secretName: contrast-security
Make configuration changes
Some configuration changes are required to instruct the runtime to load the Contrast Agent, and there are several configuration options that the agent allows (such as providing a custom name for the application and setting the logging level etc.). These configuration changes can be made using environment variables, and a common method in Kubernetes is to create a ConfigMap.
The tutorial example already contains such a config.properties
file in the k8s
folder like so:
CONTRAST__APPLICATION__NAME=netflicks-k8s CONTRAST__SERVER__NAME=EKS-Core-Pod CONTRAST__SERVER__ENVIRONMENT=qa CONTRAST_CONFIG_PATH=/etc/contrast/contrast_security.yaml AGENT__LOGGER__STDOUT=true AGENT__LOGGER__LEVEL=INFO CORECLR_PROFILER_PATH_64=/opt/contrast/contentFiles/any/netstandard2.0/contrast/runtimes/linux-x64/native/ContrastProfiler.so CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791} CORECLR_ENABLE_PROFILING=1 CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast
You can customize this as desired (but be sure to leave the CORECLR
values intact) and then create the ConfigMap from this file, run the following command:
kubectl create configmap contrast-config --from-env-file=k8s/contrast.properties
And you will notice that, again, the application deployment file (k8s/netflicks_deployment.yaml
) already references this ConfigMap:
...
envFrom:
- configMapRef:
name: contrast-config
...
Reference your Docker Image
The application deployment file (k8s/netflicks_deployment.yaml
) is currently configured to reference a pre-built image named contrastsecuritydemo/netflicks:k8s
. To instead have the deployment use the Docker image you built above, modify this line to point to your own Docker repository, for example change this:
- name: netflicks
image: contrastsecuritydemo/netflicks:k8s
to this:
- name: netflicks
image: <your repo>/netflicks:contrast
Deploy the application to Kubernetes
Apply the deployment file using the following command
kubectl apply -f k8s/netflicks_deployment.yaml
Verify the agent has been loaded
Run the following command to verify the application pod is up and running:
kubectl get all
You should see something like this:
NAME READY STATUS RESTARTS AGE
pod/netflicks-controller-rg46h 2/2 Running 0 5m28s
And check the logs for the netflicks
container within that pod, like so:
kubectl logs -c netflicks netflicks-controller-rg46h
If the Contrast Agent has loaded successfully and all is working you should see output similar to the following: