Accessing ZAP API running in Kubernetes
394 views
Skip to first unread message
Patrick Meyer
Aug 7, 2023, 9:03:39 AM8/7/23
to ZAP User Group
Hello!
I have attempted to deploy ZAP into a Kubernetes cluster, and while setting it up, I've encountered a problem accessing the API on port 8090.
curl https://api.mydomain.com
<html><body>Redirecting to https://api.mydomain.com/</body></html>%
I have attempted to deploy ZAP into a Kubernetes cluster, and while setting it up, I've encountered a problem accessing the API on port 8090.
The following is some of the templates I've used in relation to networking/deployment of the container.
deployment.yaml
metadata:
name: RELEASE-NAME-owasp-zap
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
spec:
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
template:
metadata:
annotations:
prometheus.io/ignore: "true"
labels:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
spec:
securityContext:
{}
containers:
- name: owasp-zap
command: [ "zap-webswing.sh" ]
securityContext:
runAsUser: 1000
image: "owasp/zap2docker-stable:2.13.0"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: api
containerPort: 8090
protocol: TCP
... Omitted volume mounts and resources
name: RELEASE-NAME-owasp-zap
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
spec:
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
template:
metadata:
annotations:
prometheus.io/ignore: "true"
labels:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
spec:
securityContext:
{}
containers:
- name: owasp-zap
command: [ "zap-webswing.sh" ]
securityContext:
runAsUser: 1000
image: "owasp/zap2docker-stable:2.13.0"
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: api
containerPort: 8090
protocol: TCP
... Omitted volume mounts and resources
I have two separate ingress objects, one for port 8080 with the ZAP GUI and another for API on port 8090.
The following template is for the API that is exposed on port 8090:
The following template is for the API that is exposed on port 8090:
ingress-api.yaml
metadata:
name: RELEASE-NAME-owasp-zap-api
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- hosts:
- "api.mydomain.com"
name: RELEASE-NAME-owasp-zap-api
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
annotations:
kubernetes.io/ingress.class: traefik
spec:
tls:
- hosts:
- "api.mydomain.com"
secretName: api.mydomain.com
rules:
- host: "api.mydomain.com"
http:
paths:
- path: /
backend:
serviceName: RELEASE-NAME-owasp-zap
servicePort: 8090
rules:
- host: "api.mydomain.com"
http:
paths:
- path: /
backend:
serviceName: RELEASE-NAME-owasp-zap
servicePort: 8090
Finally i have a made a service, exposing the ports:
service.yaml
metadata:
name: RELEASE-NAME-owasp-zap
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
- name: api
protocol: TCP
port: 8090
targetPort: 8090
selector:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
name: RELEASE-NAME-owasp-zap
labels:
helm.sh/chart: owasp-zap-0.1.0
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/version: "2.13.0"
app.kubernetes.io/managed-by: Helm
spec:
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 8080
targetPort: 8080
- name: api
protocol: TCP
port: 8090
targetPort: 8090
selector:
app.kubernetes.io/name: owasp-zap
app.kubernetes.io/instance: RELEASE-NAME
As seen in the deployment file, I've used webswing.sh to launch ZAP in my container, and additionally I'm using a modified webswing.config file to allow me to run it with the following arguments:
"launcherConfig" : {
"args" : "-host 0.0.0.0 -port 8090 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true",
"mainClass" : "org.zaproxy.zap.ZAP"
}
"args" : "-host 0.0.0.0 -port 8090 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true",
"mainClass" : "org.zaproxy.zap.ZAP"
}
Afterwards, I checked in the GUI that the correct API settings have been set, which seems fine:
Seemingly, this should allow me to connect to the API from any IP, but when I'm trying to curl to the API, from my machine connected to the cluster, I get the following:
Seemingly, this should allow me to connect to the API from any IP, but when I'm trying to curl to the API, from my machine connected to the cluster, I get the following:
curl https://api.mydomain.com
<html><body>Redirecting to https://api.mydomain.com/</body></html>%
And when attempting to use the browser, i get the following error:
As a small test, I attempted to curl from inside the container on port 8090, which gave me the frontpage of the API as expected, and at least shows me that there is an API to connect to.
So my question is, does anyone out there have any experience deploying ZAP into Kubernetes, and maybe have an idea what is going on here, or if something is missing from the configuration?
Thanks in advance!
Patrick
Patrick
ricekot
Aug 8, 2023, 10:55:32 PM8/8/23
to ZAP User Group
Hi,
Your traefik ingress file seems to be formatted incorrectly (serviceName and servicePort should be nested under backend), but that's probably a copy-paste issue.
One thing I'd suggest trying is to check all the redirect URLs, using something like
curl -v -L https://api.yourdomain.com/ 2>&1 | grep -i "^< location:"
You may also need to add an alias for your domain in the Network options.
Best regards,
Akshath
thc...@gmail.com
Aug 9, 2023, 2:11:50 AM8/9/23
to zaprox...@googlegroups.com
Also worth checking if the HUD is enabled, that does redirects. (Though
the alias will still be needed anyway.)
Best regards.
On 09/08/2023 03:55, ricekot wrote:
> Hi,
>
> Your traefik ingress file seems to be formatted incorrectly (serviceName
> and servicePort should be nested under backend), but that's probably a
> copy-paste issue.
>
> One thing I'd suggest trying is to check all the redirect URLs, using
> something like
> curl -v -L https://api.yourdomain.com/ 2>&1 | grep -i "^< location:"
>
> You may also need to add an alias for your domain in the Network options.
> See
> https://www.zaproxy.org/docs/desktop/addons/network/options/localservers/#aliases
> .
>
> Best regards,
> Akshath
>
> On Monday, August 7, 2023 at 6:33:39 PM UTC+5:30 TBT_P...@hotmail.com wrote:
>
>> Hello!
>> I have attempted to deploy ZAP into a Kubernetes cluster, and while
>> setting it up, I've encountered a problem accessing the API on port 8090.
>>
>> The following is some of the templates I've used in relation to
>> networking/deployment of the container.
>>
>> *deployment.yaml *
>> *ingress-api.yaml*
the alias will still be needed anyway.)
Best regards.
On 09/08/2023 03:55, ricekot wrote:
> Hi,
>
> Your traefik ingress file seems to be formatted incorrectly (serviceName
> and servicePort should be nested under backend), but that's probably a
> copy-paste issue.
>
> One thing I'd suggest trying is to check all the redirect URLs, using
> something like
> curl -v -L https://api.yourdomain.com/ 2>&1 | grep -i "^< location:"
>
> You may also need to add an alias for your domain in the Network options.
> See
> https://www.zaproxy.org/docs/desktop/addons/network/options/localservers/#aliases
> .
>
> Best regards,
> Akshath
>
> On Monday, August 7, 2023 at 6:33:39 PM UTC+5:30 TBT_P...@hotmail.com wrote:
>
>> Hello!
>> I have attempted to deploy ZAP into a Kubernetes cluster, and while
>> setting it up, I've encountered a problem accessing the API on port 8090.
>>
>> The following is some of the templates I've used in relation to
>> networking/deployment of the container.
>>
>> metadata:
>> name: RELEASE-NAME-owasp-zap-api
>> labels:
>> helm.sh/chart: owasp-zap-0.1.0
>> app.kubernetes.io/name: owasp-zap
>> app.kubernetes.io/instance: RELEASE-NAME
>> app.kubernetes.io/version: "2.13.0"
>> app.kubernetes.io/managed-by: Helm
>> annotations:
>> kubernetes.io/ingress.class: traefik
>> spec:
>> tls:
>> - hosts:
>> - "api.mydomain.com"
>> secretName: api.mydomain.com
>> rules:
>> - host: "api.mydomain.com"
>> http:
>> paths:
>> - path: /
>> backend:
>> serviceName: RELEASE-NAME-owasp-zap
>> servicePort: 8090
>>
>> Finally i have a made a service, exposing the ports:
>> *service.yaml*
>> name: RELEASE-NAME-owasp-zap-api
>> labels:
>> helm.sh/chart: owasp-zap-0.1.0
>> app.kubernetes.io/name: owasp-zap
>> app.kubernetes.io/instance: RELEASE-NAME
>> app.kubernetes.io/version: "2.13.0"
>> app.kubernetes.io/managed-by: Helm
>> annotations:
>> kubernetes.io/ingress.class: traefik
>> spec:
>> tls:
>> - hosts:
>> - "api.mydomain.com"
>> secretName: api.mydomain.com
>> rules:
>> - host: "api.mydomain.com"
>> http:
>> paths:
>> - path: /
>> backend:
>> serviceName: RELEASE-NAME-owasp-zap
>> servicePort: 8090
>>
>> Finally i have a made a service, exposing the ports:
Patrick Meyer
Aug 9, 2023, 3:33:29 AM8/9/23
to ZAP User Group
Ahaa! Setting the alias worked!
So for others, what i missed was adding the API domain to the alias list under:
Options > Network > Local Servers/Proxies > Aliases
So for others, what i missed was adding the API domain to the alias list under:
Options > Network > Local Servers/Proxies > Aliases
I guess my only question now is why this is actually working,
since I'm not that much a networks guy yet.
since I'm not that much a networks guy yet.
But anyways, for thanks for the help! This had me really stumped for days.
You guys rock!
You guys rock!
Kind regards,
Patrick
Reply all
Reply to author
Forward
0 new messages