.NET Core Agent with Kubernetes

  • Updated
Contrast has released an Agent Operator for Kubernetes which can simplify the addition of Contrast agents into your environment, without the need for any of the steps detailed below. If that is of interest, more information can be found here in our documentation.

This guide provides a working example of manually setting up and configuring the Contrast .NET Core agent within a Kubernetes environment.   For the Contrast Agent Operator, see here.

This guide assumes you have a basic working knowledge of git, Docker and Kubernetes.

Prerequisites

  1. You will require access to a Kubernetes environment, either in the cloud (for example Amazon's EKS or Microsoft's AKS).  Alternatively, you can set up a local Kubernetes environment.  Two options are Docker Desktop and minikube.
  2. Clone the following GitHub repository that will be used in this tutorial:
git clone https://github.com/Contrast-Security-OSS/demo-netflicks.git

Building the .NET Core application's image with Contrast

Inspect the Dockerfile.contrast, you should note a few sections where the Contrast agent is added:

Lines 12-17 utilizes a build stage to fetch in the latest Contrast .NET Core agent. as a Nuget package and unzips it to a temporary directory in the build image:

# Add contrast sensor package
ADD https://www.nuget.org/api/v2/package/Contrast.SensorsNetCore /tmp/contrast.sensorsnetcore.nupkg
RUN apt-get update \
&& apt-get install -y unzip \
&& unzip /tmp/contrast.sensorsnetcore.nupkg -d /tmp/contrast \
&& rm /tmp/contrast.sensorsnetcore.nupkg

Line 26 copies in the resulting directory from the build image to the final image.

COPY --from=publish /tmp/contrast /opt/contrast

For more details on adding the Contrast agent to your application/image. See our docker guide on the subject.

  1. In your terminal, navigate to the cloned repo's folder and run the following command to build the docker image with a tag that references your docker repository.
docker build -f Dockerfile.contrast . -t <your repo>/netflicks:contrast
  1. Push your image to the repo.
docker push <your repo>/netflicks:contrast

This image can be now be used in the Kubernetes deployment.

Setting up the Kubernetes environment

Create a secret for the agent's authentication credentials

Download a contrast_security.yaml file from the Contrast UI to acquire the agent authentication credentials which will be used to create a secret in Kubernetes.  The file will look like this:

api: 
  url: http(s)://<your contrast UI hostname>/Contrast #For example https://app.contrastsecurity.com/Contrast
  api_key: <apiKey>
  service_key: <serviceKey>
  user_name: agent_<hashcode>@<domain>

Now generate a secret using this file as follows:

kubectl create secret generic contrast-security --from-file=./contrast_security.yaml
This secret can be used by all Contrast agents, so it is preferable to keep it generic and make any application-level configuration changes using environment variables.

Looking at the application deployment file (k8s/netflicks_deployment.yaml) you will see that this secret is already referenced and the file will be mounted under /etc/contrast/:

...
        volumeMounts:
        - name: contrast-security
          readOnly: false
          mountPath: "/etc/contrast/"
...
volumes: - name: contrast-security secret: secretName: contrast-security

Make configuration changes

Some configuration changes are required to instruct the runtime to load the Contrast Agent, and there are several configuration options that the agent allows (such as providing a custom name for the application and setting the logging level etc.).  These configuration changes can be made using environment variables, and a common method in Kubernetes is to create a ConfigMap.

The tutorial example already contains such a config.properties file in the k8s folder like so:

CONTRAST__APPLICATION__NAME=netflicks-k8s
CONTRAST__SERVER__NAME=EKS-Core-Pod
CONTRAST__SERVER__ENVIRONMENT=qa
CONTRAST_CONFIG_PATH=/etc/contrast/contrast_security.yaml
AGENT__LOGGER__STDOUT=true
AGENT__LOGGER__LEVEL=INFO
CORECLR_PROFILER_PATH_64=/opt/contrast/contentFiles/any/netstandard2.0/contrast/runtimes/linux-x64/native/ContrastProfiler.so
CORECLR_PROFILER={8B2CE134-0948-48CA-A4B2-80DDAD9F5791}
CORECLR_ENABLE_PROFILING=1
CONTRAST_CORECLR_LOGS_DIRECTORY=/opt/contrast

You can customize this as desired (but be sure to leave the CORECLR values intact) and then create the ConfigMap from this file, run the following command:

kubectl create configmap contrast-config --from-env-file=k8s/contrast.properties

And you will notice that, again, the application deployment file (k8s/netflicks_deployment.yaml) already references this ConfigMap:

...
envFrom:
- configMapRef:
name: contrast-config
...

Reference your Docker Image

The application deployment file (k8s/netflicks_deployment.yaml) is currently configured to reference a pre-built image named contrastsecuritydemo/netflicks:k8s.  To instead have the deployment use the Docker image you built above, modify this line to point to your own Docker repository, for example change this:

 - name: netflicks
image: contrastsecuritydemo/netflicks:k8s

to this:

 - name: netflicks
image: <your repo>/netflicks:contrast

Deploy the application to Kubernetes

Apply the deployment file using the following command

kubectl apply -f k8s/netflicks_deployment.yaml

Verify the agent has been loaded

Run the following command to verify the application pod is up and running:

kubectl get all

You should see something like this:

NAME                           READY STATUS  RESTARTS AGE
pod/netflicks-controller-rg46h 2/2 Running 0 5m28s

And check the logs for the netflicks container within that pod, like so:

kubectl logs -c netflicks netflicks-controller-rg46h

If the Contrast Agent has loaded successfully and all is working you should see output similar to the following:

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request