Overview

The Data Theorem API Protect Gloo Edge agent can be deployed to one or several kubernetes clusters in order to monitor and collect data about incoming API requests. The data is then sent to Data Theorem’s platform for further analysis, in order to automatically discover APIs and detect attacks.

Deployment

Deploying the agent requires a configured Gloo Edge installation and the two zip archives archive you should receive during oboarding.

If you haven’t received the zip archives archive yet, please contact support@datatheorem.com.

These instructions will enable traffic mirroring for selected incoming requests; the request will be sent to Data Theorem’s traffic analyzer services.

Installation

Step 1 : Extract all the items which you should receive during the onboarding process.

unzip GLOO.zip
unzip network_analyzer_helm_charts.zip
tar xf forwarding_service_helm_charts.tgzDataTheorem-APIProtect-GLOO.zip

Step 2 : Verify you are configured for the correct kubernetes cluster

kubectl config current-context

Step 3 : Install the API Protect

...

helm install network-analyzer \
    ./network_analyzer        \
    --create-namespace        \
    --namespace datatheorem   \
    --set bearerToken=$(cat .some-file-with-bearer-token)

Step 4 : Now you should have some kubernetes services/pods looking like this:

kubectl -n datatheorem get pods
NAME                     READY   STATUS    RESTARTS   AGE
oas-f67f46fdb-6xwp8      1/1     Running   0          69s
ps-5c46f88c9d-rc4n7      1/1     Running   0          69s
redis-6b5d9949f8-lp59c   1/1     Running   0          69s
tds-977869565-9rxmz      1/1     Running   0          69s

Step 5 : Now we need the IP address of the ps-service, and confirm it looks like an IP address.

PS_SERVICE_ADDRESS=$(kubectl -n datatheorem get service ps-service | grep "ps-service" | xargs | cut -d" " -f3) && echo $PS_SERVICE_ADDRESS

Step 6 : Add the DataTheorem forwarding service.

helm install forwarding-service  \
    ./forwarding_service         \
    --namespace datatheorem      \
    --set forwarding_address=http://${PS_SERVICE_ADDRESS}:8081

...

for a given upstream

Find existing upstream configurations

glooctl get upstream

Step

...

4 : Choose an upstream to mirror and list its endpoints

...

e.g "default-petstore-8080"

Add mirroring to the chosen endpoint. This step must be repeated for each endpoint.

KUBE_UPSTREAM_NAMESPACE=default
KUBE_UPSTREAM_NAME=petstore
KUBE_UPSTREAM_PORT=8080
printf -v KUBE_UPSTREAM_ENDPOINT=/api/petsUPSTREAM_ID "%05d" $(helm -n datatheorem list  --filter 'gloo-vtap-endpoint' | wc -l)
helm install "gloo-vtap-endpoint-${UPSTREAM_ID}" \
    ./gloo_vtap_endpoint        \\
    --create-namespace datatheorem         \\
    --set kubeUpstreamNamespace=${KUBE_UPSTREAM_NAMESPACE} \namespace datatheorem     \\
    --set kubeUpstreamNamekubeUpstreamNamespace=${KUBE_UPSTREAM_NAMENAMESPACE}           \\
    --set kubeUpstreamPortkubeUpstreamName=${KUBE_UPSTREAM_PORTNAME}           \\
    --set kubeUpstreamEndpointkubeUpstreamPort=${KUBE_UPSTREAM_ENDPOINTPORT}

Step 9 : Verify the deployment

It should look something like this

helm list -n datatheorem
NAME                 NAMESPACE   REVISION NAMESPACE   REVISION UPDATED                                 STATUS      CHART                       APP VERSION
forwarding-service  gloo-vtap-endpoint-00001 datatheorem 1           2022-122023-06-20 11:56:08.223009524 +0100 CET deployed    apiprotect_gloo_vtap-1.0.0  1.0.5
gloo-vtap-endpoint  datatheorem 1           2022-12-20 11:56:17.810092812 +0100 CET deployed    forwarding_service-1.0.0    1.0.5
network-analyzer    datatheorem 1           2022-12-20 11:55:27.323437972 +0100 CET deployed    apiprotect-1.0.0            1.16.0

Test the deployment

helm test -n datatheorem gloo-vtap-endpoint-00001

Finished.