Agent Operator configuration
The topic describes the schema for every configuration entity type the Contrast Agent Operator accepts. Some entities are optional.
AgentConfiguration
apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentConfiguration
metadata:
name: example-agent-configuration
namespace: default
spec:
yaml: |
server:
environment: QA
suppressDefaultServerName: false
suppressDefaultApplicationName: false
Property | Type | Required | Default value | Description |
|---|---|---|---|---|
spec.yaml | string | No | A YAML configuration file as documented "YAML configuration" | |
spec.suppressDefaultServerName | boolean | No | False | If false, automatically set the Contrast server name on injected workloads ('kubernetes-{namespace}'), rather than use the default (normally the pod name). |
spec.suppressDefaultApplicationName | boolean | No | False | If false, automatically set the Contrast application name on injected workloads (the workload name), rather than use the default (generated by the agent). |
Note
Connection keys will be ignored in the provided YAML file and should not be provided.
AgentConnection
apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentConnection
metadata:
name: example-agent-connection
namespace: default
spec:
url: https://app.contrastsecurity.com/Contrast
apiKey:
secretName: example-agent-connection-secret
secretKey: apiKey
serviceKey:
secretName: example-agent-connection-secret
secretKey: serviceKey
userName:
secretName: example-agent-connection-secret
secretKey: userNameProperty | Type | Required | Default value | Description |
|---|---|---|---|---|
spec.url | string | Yes | The URL of your Contrast server. | |
spec.apiKey.secretName | string | Yes | The name of the Secret containing the apiKey. | |
spec.apiKey.secretKey | string | Yes | The key of the value in the named Secret containing the apiKey. | |
spec.serviceKey.secretName | string | Yes | The name of the Secret containing the serviceKey. | |
spec.serviceKey.secretKey | string | Yes | The key of the value in the named Secret containing the serviceKey. | |
spec.userName.secretName | string | Yes | The name of the Secret containing the userName. | |
spec.userName.secretKey | string | Yes | The key of the value in the named Secret containing the userName. |
Important
For security, Secrets referenced must be contained in the same namespace as the AgentConnection.
AgentInjector
apiVersion: agents.contrastsecurity.com/v1beta1
kind: AgentInjector
metadata:
name: example-injector-dotnet-core
namespace: default
spec:
enabled: true
version: latest
type: dotnet-core
image:
registry: docker.io/contrast
name: agent-dotnet-core
pullSecretName: contrastdotnet-pull-secret
pullPolicy: Always
selector:
images:
- "*"
labels:
- name: app
value: example-*
connection:
name: example-agent-connection
configuration:
name: example-agent-configurationProperty | Type | Required | Default value | Description |
|---|---|---|---|---|
spec.enabled | boolean | No | TRUE | Enables or disables this agent injector. |
spec.version | string | No | latest | The version of the agent to inject. The literal 'latest' will inject the latest version. Partial version matches are supported, e.g. '2' will select version '2.1.0'. |
spec.type | agentType | Yes | The type of agent to inject. Can be one of ['dotnet-core', 'java', 'nodejs' or 'nodejs-esm', 'php', 'python’]. | |
spec.image.registry | string | No | docker.io/contrast | The image registry to use for downloading agent images. This registry must be accessible by the pods being injected and by the operator. |
spec.image.name | string | No | {based on type} | The name of the injector image to use. |
spec.image.pullSecretName | string | No | The name of a pull Secret to append to the pod's imagePullSecrets list. | |
spec.image.pullPolicy | string | No | Always | The pull policy to use when fetching Contrast images. See Kubernetes imagePullPolicy for more information. |
spec.selector.images | string[] | No | Select all containers in Pod. | Container images to inject the agent into. Glob patterns are supported. |
spec.selector.labels | labelSelector[] | No | Select all workloads in namespace. | Deployment/StatefulSet/DaemonSet/DeploymentConfig labels whose pods are eligible for agent injection. |
spec.connection.name | string | No | Defaults AgentConnection specified by a ClusterAgentConnection. | The name of AgentConnection resource. Must exist within the same namespace. |
spec.configuration.name | string | No | Defaults a AgentConfiguration specified by a ClusterAgentConfiguration. | The name of a AgentConfiguration resource. Must exist within the same namespace. |
Disabling an existing AgentInjector will remove all injections from selected workloads.
The referenced AgentConnection and AgentConfiguration must exist in the same namespace as the AgentInjector.
If using a custom registry, both the Pod being injected and the operator must have access, either through the default pull secret, or custom pull secrets.
Agent version
latestis recommended when using the agent in pre-production environments.The AgentInjector supports selecting Deployment, StatefulSet, DaemonSet, and DeploymentConfig (on OpenShift) workloads. Injecting pods directly is not supported.
If the selected workload creates many containers in a single Pod, spec.selector.images can be used to filter which containers are injected.
labelSelector
Property | Type | Required | Default value | Description |
|---|---|---|---|---|
name | string | Yes | The name of the label to match. | |
value | string | Yes | The value of the label to match. Glob patterns are supported. |
Note
Label selections are cumulative using the logical AND operation.
agentType
Agent | Agent Type |
|---|---|
.NET Core | dotnet-core |
Java | java |
Node.js | nodejs OR nodejs-esm |
PHP | php |
Python | python |
Types are further documented in Operator supported technologies.
ClusterAgentConfiguration
apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConfiguration
metadata:
name: default-agent-configuration
namespace: contrast-agent-operator
spec:
namespaces:
- default
template:
spec:
yaml: |
server:
environment: QAProperty | Type | Required | Default value | Description |
|---|---|---|---|---|
spec.namespace | string[] | No | All namespaces. | The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. |
spec.template | AgentConfiguration | Yes | The default AgentConfiguration to apply to the namespaces selected by 'spec.namespaces'. |
Note
For security, ClusterAgentConfiguration manifests must be deployed into the same namespace of the operator.
ClusterAgentConnection
apiVersion: agents.contrastsecurity.com/v1beta1
kind: ClusterAgentConnection
metadata:
name: default-agent-connection
namespace: contrast-agent-operator
spec:
namespaces:
- default
template:
spec:
url: http://app.contrastsecurity.com/Contrast
apiKey:
secretName: default-agent-connection-secret
secretKey: apiKey
serviceKey:
secretName: default-agent-connection-secret
secretKey: serviceKey
userName:
secretName: default-agent-connection-secret
secretKey: userNameProperty | Type | Required | Default value | Description |
|---|---|---|---|---|
spec.namespace | string[] | No | All namespaces. | The namespaces to apply this AgentConfiguration template to. Glob syntax is supported. |
spec.template | AgentConnection | Yes | The default AgentConnection to apply to the namespaces selected by 'spec.namespaces'. |
Note
For security, ClusterAgentConnection manifests must be deployed into the same namespace of the operator.
Secrets referenced by ClusterAgentConnection must exist in the same namespace in which the ClusterAgentConnection entity is deployed.