- Checkmarx Documentation
- IAST Documentation
- User Guide
- Working with the IAST Web Interface
- Discovering Services with Kubernetes
Discovering Services with Kubernetes
Some environments use Kubernetes to orchestrate service deployment. IAST uses the Kubernetes API to fetch the deployed service details.
Connecting to a Kubernetes Cluster with IAST
Use the following steps to connect to a Kubernetes cluster from IAST:
Browse to the Service Discovery page in the IAST portal to configure the Kubernetes endpoint.
Click Edit. The Edit Connection dialog opens.
Use one of following methods to connect to the Kubernetes cluster:
Credentials, specify the following parameters:
Namespace – a Kubernetes namespace to get services from. Leave empty to get services from all namespaces
Cluster URL – Kubernetes API server URL
Username – a user with sufficient permissions to access the Kubernetes API server
Password – a password for that user.
API Key, specify the following parameters:
Namespace – Enter a specific Kubernetes namespace to get services from, or leave empty to get services from all namespaces
Cluster URL – Kubernetes API server URL
API Key – an API key with sufficient permissions to access the Kubernetes API server
Kube Config – This is the default option. CxIAST automatically uses the connection configuration from the Kubernetes configuration file in the file system (in ~/.kube/config, or $HOME/.kube/config), for example the following location in the local Windows installation:
C:\Users\Lenovo\.kube\config
Click Test, if you want to test the connection before saving it.
Click Save.
Note
Connecting using Kube Config requires the HOME environment variable to be configured. If it is missing, the following environment variables will be used: HOMEDRIVE, HOMEPATH, USERPROFILE. If these variables are missing as well, the user.home Java system property will be used.
If the credentials or API key connection fails, CxIAST Manager will automatically revert to the Kube Config option.
If the Cluster URL uses HTTPS without a signed certificate, set
KUBERNETES_TRUST_CERTIFICATES=true
environment variable and restart CxIAST Manager.
Service Discovery Table
The deployed services are listed in the Service Discovery page of xIAST, as shown below:
Name specifies the name of the Kubernetes service as named in Kubernetes.
Namespace specifies the Kubernetes namespace in which this service is deployed.
Monitored Project specifies the IAST project with an attached agent) that was deployed using Kubernetes. The auto-matching mechanism compares the Name column to all monitored IAST projects to create a match. To manually match projects click the arrow in this field and select a project from the list (to un-match, select None.
Type specifies the Kubernetes service type (ClusterIP, LoadBalancer, etc.).
Cluster IP specifies the internal Kubernetes cluster IP adress of this service.
External IPs specifies the external IP addresses for this service.
Ports specifies the exposed ports for this service.