Docker ZAP and Kubernetes: how to access from outside the ZAP container running behind Kubernetes Ingress

[nuvo]

Hi All,

I am looking for someone that has got experience with setting up ZAP in a Kubernetes environment using Ingress functionality.

Any help or suggestions are welcome!

Thanks in advance.

Best regards,

Nuvo

 

[Spyros G]

Hey Nuvo,

What do you want to know specifically?

Also, what's your use case?

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/250c1413-f66d-4d3a-ad6a-a3a9b1ccdcf2%40googlegroups.com.

[nuvo]

Hi Spyros,

thanks for your reply! The basic idea is to use ZAP as global proxy server for a group of testers/developers, so to perform passive security scans during functional/regression tests.

Something like this:

- ZAP docker runs as container in Kubernetes;

- Kubernetes Ingress expose ZAP URL and port outside the Kubernetes environment;

- development team use ZAP URL and port as proxy in their internet browser;

 

I am looking for yaml examples of the ingress and service configurations to use.

Thanks in advance for your help!

Best regards,

Nuvo

On Thursday, November 28, 2019 at 5:59:58 PM UTC+1, Spyros wrote:

Hey Nuvo,

What do you want to know specifically?

Also, what's your use case?

On Thu, Nov 28, 2019 at 4:44 PM nuvo <nuvo...@gmail.com> wrote:

Hi All,

I am looking for someone that has got experience with setting up ZAP in a Kubernetes environment using Ingress functionality.

Any help or suggestions are welcome!

Thanks in advance.

Best regards,

Nuvo

 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to zaprox...@googlegroups.com.

[Spyros G]

Here's the pull request I've written for ZAP, it's waiting for the maintainers approval.

https://github.com/zaproxy/zaproxy/pull/5677

I had to split the ZAP scripts to client and server. Your use case only uses the server so you need to use the deployment and service parts.

I haven't written an ingress for it yet, but you can customise this ingress (or contribute one  :-) ):

https://github.com/blabla1337/skf-flask/blob/master/Docker/alpine-cloud/k8s/ingress.yaml

It's pretty standard  from the official kubernetes Docs.

Let me know if you have any questions, we've been using a heavier version of this for some time now

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/fd8ec1af-5229-4114-8b07-1aee9bed66e8%40googlegroups.com.

[nuvo]

Hi Spyros,

thank you very much for the link ... it looks very interesting! It would be great if your suggested approach would be included as standard feature of ZAP!

In our case, I think the issue lies on the Ingress configuration. We use the standard Nginx Ingress Controller with the following settings in NGINX configuration file "/etc/nginx/conf.d/kubernetes_ssl.conf" :

        location /zap/ {
             proxy_pass http://127.0.0.1:30421/;
             add_header X-Forwarded-Prefix "/zap" always;
             proxy_set_header X-Forwarded-Prefix "/zap";
        }

A very similar setup to the Nginx setup showed above is also used successfully to expose a web application outside the ingress.

However, when we try to access ZAP from outside Kubernetes, by using an URL like "https://<kubernetes_ingress_ip>/zap/", we get the following error message:

ZAP Error [java.net.ConnectException]: Connection refused (Connection refused)

Stack Trace:
java.net.ConnectException: Connection refused (Connection refused)
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.commons.httpclient.protocol.ReflectionSocketFactory.createSocket(ReflectionSocketFactory.java:140)
	at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:125)
	at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:728)
	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:449)
	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:201)
	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
	at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:418)
	at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:653)
	at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:609)
	at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:585)
	at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
	at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
	at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:564)
	at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:335)
	at java.lang.Thread.run(Thread.java:748)

By looking at the error message, it looks like the outside request arrives to ZAP but something goes wrong after that.

I have added below the deployment files currently used for ZAP container and service. 

Can you please have a look and let me know if you spot something wrong?

Many thanks in advance!

Best regards,

Nuvo

### service.yaml ###

apiVersion: v1
kind: Service
metadata:
  name: zap
spec:
  selector:
    run: zap-global
  ports:
  - port: 8094
    targetPort: 8094
  type: NodePort

### zap-deployment.yaml ###

apiVersion: apps/v1
kind: Deployment
metadata:
  name: zap-global
spec:
  replicas: 1
  selector:
    matchLabels:
      run: zap-global
  template:
    metadata:
      labels:
        run: zap-global
    spec:
      containers:
        - name: zap-global
          command: ["zap.sh", "-daemon", "-port", "8094", "-host", "0.0.0.0", "-config", "api.disablekey=true", "-config", "api.addrs.addr.name=.*", "-config", "api.addrs.addr.regex=true"]
          image: owasp/zap2docker-weekly
          imagePullPolicy: Always
          ports:
            - containerPort: 8094
              protocol: TCP
          lifecycle:
            postStart:
              exec:
                command: ["/bin/sh", "-c", "mkdir /zap/wrk"]

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/fd8ec1af-5229-4114-8b07-1aee9bed66e8%40googlegroups.com.

[Spyros G]

I can confirm zap is crashing with the ingress use case, for me it doesn't print the stacktrace which is probably due to the pod being cleared up before the messages get printed.

The exception is thrown when ZAP tries to process headers so (unlikely) maybe it's the extra headers?

Can you please try with the simplest ingress possible?

something like the following:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: zap-ingress
spec:
  rules:
  - host: host.local
    http:
      paths:
      - path: /
        backend:
          serviceName: zap-svc
          servicePort: 8094

@Simon Bennetts it is this thing here that drops connections, got any hints?

https://github.com/zaproxy/zaproxy/blob/65afe6af651cc789e96a3079edd86dd025ca8da1/zap/src/main/java/org/parosproxy/paros/core/proxy/ProxyThread.java#L335

To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b567b985-67ef-4ea1-89cc-5554dcb12425%40googlegroups.com.

[thc...@gmail.com]

That's the expected behaviour when ZAP is unable to connect to a server.

If the messages forward to ZAP using
"https://<kubernetes_ingress_ip>/zap/" are intended to access the ZAP
API then you need to rewrite the URL to match the address/port ZAP is
listening/bound to (or to use the zap domain), otherwise ZAP will handle
the request as any other request being proxied and try forward it (in vain).

Best regards.

[nuvo]

@thc202

thank you for your feedback! sorry for late reply but I was away for a couple of days.

I think I understand what you mean ... I will try to use the current ZAP url (https://<kubernetes_ingress_ip>/zap/)  as proxy url in Firefox and see if that works.

However, I am not sure how the url should look like if I want to access the ZAP API from outside the Kubernetes environment, like this

Thanks in advance for your help!

Best regards,

Nuvo

[thc...@gmail.com]

I think it doesn't matter as long as you rewrite the request before
reaching ZAP, you should just need to change the domain to "zap", then
ZAP will know that the request is for the ZAP API.

Best regards.

[nuvo]

@Spyros

thanks for the suggestion. I will ask the person managing the Kubernetes environment to test your suggested Ingress. 

Not sure if they will agree to test it though :(

Will keep you posted!

On Friday, November 29, 2019 at 10:51:56 AM UTC+1, Spyros wrote:

I can confirm zap is crashing with the ingress use case, for me it doesn't print the stacktrace which is probably due to the pod being cleared up before the messages get printed.

The exception is thrown when ZAP tries to process headers so (unlikely) maybe it's the extra headers?

Can you please try with the simplest ingress possible?

something like the following:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: zap-ingress
spec:
  rules:
  - host: host.local
    http:
      paths:
      - path: /
        backend:
          serviceName: zap-svc
          servicePort: 8094

...@Simon Bennetts it is this thing here that drops connections, got any hints?

https://github.com/zaproxy/zaproxy/blob/65afe6af651cc789e96a3079edd86dd025ca8da1/zap/src/main/java/org/parosproxy/paros/core/proxy/ProxyThread.java#L335

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/b567b985-67ef-4ea1-89cc-5554dcb12425%40googlegroups.com.

[nuvo]

@thc202

can you please provide an example of what you mean?

which should be the url if I want to open in the browser the ZAP API page?

Thanks in advance!