Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
Instructions
When logged in to the open-appsec portal, click on Getting Started. You will see this page:
Follow these steps to connect your agents to the management:
Step 1: Confirm agent is deployed
Check the "I deployed an agent" box, the Central Management box will become enabled.
Step 2: Create a profile
The best-practice recommendation is to create an individual profile in the WebUI for each of your open-appsec deployments. Examples for "deployments" would be e.g.:
- K8s deployment using HELM or installation tool (consisting of one or multiple open-appsec agents)
- redundant deployment using Docker on two or more virtual machines (each having it's own agent) protecting the same web assets
- redundant Linux embedded deployment on two or more Linux machines protecting the same web assets
Security-wise this makes sure that only policies for those assets which are protected by specific agents are enforced on those agents (by linking the Assets to only the relevant profile(s)), in addition to having separate tokens per each deployment and all associated agents.
In addition this approach provides the flexibility of being able to configure various settings available on profile-level individually per each deployment, if required.
In the Getting Started page, click Manage and choose either Kubernetes Profile or Linux Embedded Agent Profile depending on your installation type. You will get into the related Profile page:
Kubernetes Kong Profile example
Linux NGINX Profile Example
Step 3: Select Subtype
In the "sub type" field select either NGINX or Kong depending on what kind of open-appsec agent / deployment you want to connect.
Step 4: Determine Management Master
Choose the relevant option to decide whether you want to edit assets and policies via the WebUI or locally in a declarative way (using CRDs or configuration file). If you choose a declarative option you can still view the configuration in the WebUI in read-only mode.
Kubernetes management mode
NGINX management mode
Step 5: Create secure communication channel between Agent(s) and Management
In case you want to connect to the SaaS Management using only Helm values (e.g. in a GitOps scenario where you deploy the Helm chart from a Git repo) please continue here and don't perform this step below.
Follow the guidelines under Download & Deployment:
Enforce policy, by clicking the button at the top right of the page.
Copy the commands as shown in the selected profile and run it in your Kubernetes or Linux Environment to connect your deployed agents to this profile and the central management.
Here are some examples:
Kong Linux Connect to managment example
Once you performed the instructions, after about two minutes, you will see a green notification bar in the Web UI. Your open-appsec agents are now connected to the management!
