How to expose ZAP API through Kubernetes NodePort?

[Gavin kelly]

I have setup the ZAP Proxy using the Stable Docker Image from owasp/zap2docker-stable. This container is to be deployed onto Kubernetes, currently I have this deployed on my local Minikube. The Pod deployment and service are all working, I can connect my browser to the proxy via the NodePort exposed on Minikube and I see, on the container, the relevant reports being generated for the passive scans. 

However I can not access the API from outside of the Minikube machine. If I ssh into Minikube I can access the API endpoints but from outside of Minikube the connection times out.

I will try to provide as much information here as possible but I am hoping it is something obvious I am missing :)

Container spec from deployment file

    spec:
      containers:
      - image: infra/zap-proxy
        name: zap
        command: ["zap.sh", "-daemon", "-port", "8090", "-host", "0.0.0.0", "-config", "api.disablekey=true", "-config", "api.addrs.addr.name=.*", "-config", "api.addrs.addr.regex=true"]
        imagePullPolicy: IfNotPresent
        ports:
          -
            containerPort: 8090

Service file

apiVersion: v1
kind: Service
metadata:
  name: zap-proxy-service
  namespace: infra
  labels:
    name: zap
spec:
  type: NodePort
  ports:
  - port: 8090
    nodePort: 30103
    protocol: TCP
  selector:
    name: zap

Basically what the above files will do is deploy a container and expose that with port 8090, it then deploys a service to expose a port 30103 which is mapped to 8090 for the ZAP container. As I said I have no issues connecting to the proxy from outside of Minikube but I can't access the API, which I need to do to be able to retrieve the reports.

Please let me know if there is anything else you require? Thanks for any and all help :)

[Simon Bennetts]

The ZAP configs look ok.
Have you definitely got the API turned on?
If you can connect to ZAP in order to proxy through it then you should also be able to access the ZAP API.
Try pointing your browser at the host:port you are using to proxy through it.
You should get a 'Welcome to ZAP' page with various links including one to the API UI.

Cheers,

Simon

[Gavin kelly]

I believe the API is turned on as I can access it locally on the container

curl http://localhost:8090/json/core/view/sites

results in sites array being populated with the sites I am attempting to access

However when I go to my host:port on the browser it times out. Is there any other logs that I could look at that may help?

[Simon Bennetts]

Ah, of course!
By default the API is restricted to localhost.
Via the UI you can change that via the Options / API screen.
It will be possible to set that via cmdline options .. I'll just have a quick play and let you knoe what they should be...

Cheers,

Simon

[Gavin kelly]

Actually it seems to be only available if I am connected to the browser with the proxy, very weird behaviour. Please do send me on any relevant options, I will gladly give them a go...appreciate the help.

Below is what I am seeing at the moment:

1. http:/host:port/OTHER/core/other/htmlreport works - I get the report returned in the browser that is connected to the proxy

2. http://host:port/ on browser connected to proxy results in following exception

ZAP Error [java.net.ConnectException]: Connection timed out (Connection timed out)

Stack Trace:
java.net.ConnectException: Connection timed out (Connection timed out)
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at java.net.Socket.connect(Socket.java:538)
	at java.net.Socket.<init>(Socket.java:434)
	at java.net.Socket.<init>(Socket.java:286)
	at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:80)
	at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:122)
	at org.apache.commons.httpclient.HttpConnection.open(Unknown Source)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(Unknown Source)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(Unknown Source)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
	at org.parosproxy.paros.network.HttpSender.executeMethod(Unknown Source)
	at org.parosproxy.paros.network.HttpSender.runMethod(Unknown Source)
	at org.parosproxy.paros.network.HttpSender.send(Unknown Source)
	at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(Unknown Source)
	at org.parosproxy.paros.core.proxy.ProxyThread.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

3. http://host:port/OTHER/core/other/htmlreport on other browser not connected to proxy results in timeout

[Simon Bennetts]

Yeah, I realised that you _were_ setting the right options - ie 

 "-config", "api.addrs.addr.name=.*", "-config", "api.addrs.addr.regex=true"

If you can connect to the API when connected using the browser then it implies that this is something outside of ZAPs control.
I'm afraid I dont know what else to suggest.
You can try looking in the zap.log file, but I dont think that will have anything relevant in :/

[Gavin kelly]

Ya I would think this is something related to my Minikube setup, I will continue to investigate, you can close this off if you like. I might just come back and let you know when I find a resolution :) Thanks again

[Simon Bennetts]

Please do - someone else may well hit the same problem in the future:)

[thc...@gmail.com]

What ZAP version are you using?

In the examples provided what is the value of "port"? always 8090?
What value are you using as proxy port in the browser? 30103?

Best regards.

On 25/05/17 15:31, Gavin kelly wrote:
> Actually it seems to be only available if I am connected to the browser
> with the proxy, very weird behaviour. Please do send me on any relevant
> options, I will gladly give them a go...appreciate the help.
> Below is what I am seeing at the moment:
> 1. http:/host:port/OTHER/core/other/htmlreport works - I get the report

> returned in the browser that *is* connected to the proxy

> 3. http://host:port/OTHER/core/other/htmlreport on other browser *not*

[Gavin kelly]

Problem solved, thanks for all the help, shamefully it has nothing to do with ZAP and more to do with my lack of understanding around Kubernetes,

The port need to be exposed through an external IP, so the service file would look something like

ports:
- port: 8090
  targetPort: 8090
  nodePort: 30103
  protocol: TCP
externalIPs:

- xxx.xxx.xxx.xxx IP Address goes here

This has solved it for minikube anyway.

And yep sorry thc202 I forgot to add the ports to that

1. http:/host:8090/OTHER/core/other/htmlreport works - I get the report returned in the browser that is connected to the proxy on 30103

2. http://host:8090/ on browser connected to proxy on 30103 results in the exception

3. http://host:30103/OTHER/core/other/htmlreport on other browser not connected to proxy results in timeout

[Simon Bennetts]

Glad its working for you, and thanks for letting us know :)

[Gavin kelly]

Back again!! Just a followup :)

Ok so was playing around a bit more with this and got the following error on our Kubernetes instance, which is behind a HAProxy(Synapse), when using NodePort configurations(Kubernetes) and bindings(listen) in HAProxy

https://github.com/zaproxy/zaproxy/issues/3249

I see there is a config flag for NAT but only for AWS? https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsOptionsLocalproxy

Don't know if there are plans to address this but as stated before the workaround to specify the external IP works for this, dunno to be honest if this is the workaround or the fix :)

So for now we are leaving the ZAP Proxy out of our HAProxy config and leaving the service file take care of IP/Port configuration. Thanks

[thc...@gmail.com]

Feel free to raise an issue, we can allow to specify the
domains/addresses that the ZAP API will be served from (probably more
straightforward than have ZAP to automatically determine the
public/external IP address in all cases).

Best regards.

>>> returned in the browser that *is* connected to the proxy on 30103

>>> 2. http://host:8090/ on browser connected to proxy on 30103 results in
>>> the exception

>>> 3. http://host:30103/OTHER/core/other/htmlreport on other browser *not* connected

[Anoop Philip]

Hey Gavin,

I'm trying to set up Zap in Kubernetees cluster.

I created service file without ExternalIPs, then port-forward zap-proxy to my local and seems like I can access it locally on http://127.0.0.1:8070/, where 8070 is the Port used while port forwarding.

But when I expose publically instead of port-forwarding, then I can't access it through the IP address. Do you have any suggestions on it?

kubectl expose rc zap-proxy --name=zap-proxy-external --labels="app=zap-proxy,external=true" --type=LoadBalancer

Thanks

Anoop

[Gavin kelly]

Hi Anoop,

Have you tried type NodePort?

--type=NodePort

Then you can do

kubectl describe services example-service

And this should return the information you want for connection

example

Name:                   example-service
 Namespace:              default
 Labels:                 run=load-balancer-example
 Selector:               run=load-balancer-example
 Type:                   NodePort
 IP:                     10.32.0.16
 Port:                   <unset> 8080/TCP
 NodePort:               <unset> 31496/TCP
 Endpoints:              10.200.1.4:8080,10.200.2.5:8080
 Session Affinity:       None

See https://kubernetes.io/docs/tasks/access-application-cluster/service-access-application-cluster/ for more details. Hope this helps you

[Anoop Philip]

Thanks for your reply.

Yeah, I tried NodePort type as well and here is the result

kubectl describe services zap-proxy-service

Name: zap-proxy-service

Namespace: default

Labels: app=zap-proxy

Annotations: <none>

Selector: app=zap-proxy

Type: NodePort

IP: 10.35.251.33

Port: <unset> 8070/TCP

NodePort: <unset> 30103/TCP

Endpoints: 10.32.1.5:8070

Session Affinity: None

Events: <none>

but I couldn't connect to 10.35.251.33:30103

NOTE - I used ReplicationController instead of Deployment, I don't think it causes any difference.

-anoop

[Gavin kelly]

Yes it sounds like you are running into the same issue as me before

When ZAP is running locally and being accessed locally it is able to tell the difference to the port requests, however when this is switch to an external range it does not work.

Sorry I forgot I never updated here with the issue I raised with the team: https://github.com/zaproxy/zaproxy/issues/3594

[Anoop Philip]

Thanks!, I keep an eye on that enhancement!

[vipin premanand]

Hi 

I need a bit of guidance here . Could you give me a brief description of how did you set up kubernetes docker with zap proxy . I wanted to plug it to jenkins to run scans .Please advise how can this be exposed . I can access ZAP from within the virtual box but not from my computer . I Am running a windows machine with a oracle box running on top of it with a centos 7 OS and now zap proxy running in a kubernetes docker .