Skip to main content

Agent Operator configuration

The topic describes the schema for every configuration entity type the Contrast Agent Operator accepts. Some entities are optional.

AgentConfiguration

apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentConfiguration
metadata:
  name: example-agent-configuration
  namespace: default
spec:
  yaml: |
    server:
      environment: QA
  suppressDefaultServerName: false
  suppressDefaultApplicationName: false

Property

Type

Required

Default value

Description

spec.yaml

string

No

A YAML configuration file as documented "YAML configuration"

spec.suppressDefaultServerName

boolean

No

False

If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), rather than use the default (normally the pod name).

spec.suppressDefaultApplicationName

boolean

No

False

If false, automatically set the Contrast application name on injected workloads (the workload name), rather than use the default (generated by the agent).

Note

Connection keys will be ignored in the provided YAML file and should not be provided.

AgentConnection

apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentConnection
metadata:
  name: example-agent-connection
  namespace: default
spec:
  url: https://app.contrastsecurity.com/Contrast
  apiKey:
    secretName: example-agent-connection-secret
    secretKey: apiKey
  serviceKey:
    secretName: example-agent-connection-secret
    secretKey: serviceKey
  userName:
    secretName: example-agent-connection-secret
    secretKey: userName

Property

Type

Required

Default value

Description

spec.url

string

Yes

The URL of your Contrast server.

spec.apiKey.secretName

string

Yes

The name of the Secret containing the apiKey.

spec.apiKey.secretKey

string

Yes

The key of the value in the named Secret containing the apiKey.

spec.serviceKey.secretName

string

Yes

The name of the Secret containing the serviceKey.

spec.serviceKey.secretKey

string

Yes

The key of the value in the named Secret containing the serviceKey.

spec.userName.secretName

string

Yes

The name of the Secret containing the userName.

spec.userName.secretKey

string

Yes

The key of the value in the named Secret containing the userName.

Important

For security, Secrets referenced must be contained in the same namespace as the AgentConnection.

AgentInjector

apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentInjector
metadata:
  name: example-injector-dotnet-core
  namespace: default
spec:
  enabled: true
  version: latest
  type: dotnet-core
  image:
    registry: docker.io/contrast
    name: agent-dotnet-core
    pullSecretName: contrastdotnet-pull-secret
    pullPolicy: Always
  selector:
    images:
      - "*"
    labels:
      - name: app
        value: example-*
  connection:
    name: example-agent-connection
  configuration:
    name: example-agent-configuration

Property

Type

Required

Default value

Description

spec.enabled

boolean

No

TRUE

Enables or disables this agent injector.

spec.version

string

No

latest

The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select version '2.1.0'.

spec.type

agentType

Yes

The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs', 'php'].

spec.image.registry

string

No

docker.io/contrast

The image registry to use for downloading agent images. This registry must be accessible by the pods being injected and by the operator.

spec.image.name

string

No

{based on type}

The name of the injector image to use.

spec.image.pullSecretName

string

No

The name of a pull Secret to append to the pod's imagePullSecrets list.

spec.image.pullPolicy

string

No

Always

The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information.

spec.selector.images

string[]

No

Select all containers in Pod.

Container images to inject the agent into. Glob patterns are supported.

spec.selector.labels

labelSelector[]

No

Select all workloads in namespace.

Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection.

spec.connection.name

string

No

Defaults AgentConnection specified by a ClusterAgentConnection.

The name of AgentConnection resource. Must exist within the same namespace.

spec.configuration.name

string

No

Defaults a AgentConfiguration specified by a ClusterAgentConfiguration.

The name of a AgentConfiguration resource. Must exist within the same namespace.

  • Disabling an existing AgentInjector will remove all injections from selected workloads.

  • The referenced AgentConnection and AgentConfiguration must exist in the same namespace as the AgentInjector.

  • If using a custom registry, both the Pod being injected and the operator must have access, either through the default pull secret, or custom pull secrets.

  • Agent version latest is recommended when using the agent in pre-production environments.

  • The AgentInjector supports selecting Deployment, StatefulSet, DaemonSet, and DeploymentConfig (on OpenShift) workloads. Injecting pods directly is not supported.

  • If the selected workload creates many containers in a single Pod, spec.selector.images can be used to filter which containers are injected.

labelSelector

Property

Type

Required

Default value

Description

name

string

Yes

The name of the label to match.

value

string

Yes

The value of the label to match. Glob patterns are supported.

Note

Label selections are cumulative using the logical AND operation.

agentType

Agent

Agent Type

.NET Core

dotnet-core

Java

java

Node.js

nodejs

PHP

php

Types are further documented in Operator supported technologies.

ClusterAgentConfiguration

apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConfiguration
metadata:
  name: default-agent-configuration
  namespace: contrast-agent-operator
spec:
  namespaces:
    - default
  template:
    spec:
      yaml: |
        server:
          environment: QA

Property

Type

Required

Default value

Description

spec.namespace

string[]

No

All namespaces.

The namespaces to apply this AgentConfiguration template to. Glob syntax is supported.

spec.template

AgentConfiguration

Yes

The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'.

Note

For security, ClusterAgentConfiguration manifests must be deployed into the same namespace of the operator.

ClusterAgentConnection

apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConnection
metadata:
  name: default-agent-connection
  namespace: contrast-agent-operator
spec:
  namespaces:
    - default
  template:
    spec:
      url: http://app.contrastsecurity.com/Contrast
      apiKey:
        secretName: default-agent-connection-secret
        secretKey: apiKey
      serviceKey:
        secretName: default-agent-connection-secret
        secretKey: serviceKey
      userName:
        secretName: default-agent-connection-secret
        secretKey: userName

Property

Type

Required

Default value

Description

spec.namespace

string[]

No

All namespaces.

The namespaces to apply this AgentConfiguration template to. Glob syntax is supported.

spec.template

AgentConnection

Yes

The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'.

Note

  • For security, ClusterAgentConnection manifests must be deployed into the same namespace of the operator.

  • Secrets referenced by ClusterAgentConnection must exist in the same namespace in which the ClusterAgentConnection entity is deployed.

See also