AWS ECS/EKS/Fargate
Install and attach K2's Java Language Agent with your Java application hosted on AWS ECS/EKS/Fargate for Runtime Self Application Protection.
Steps to protect Java Web Application
There are following options you can select at your convenience for protecting your application workloads
Option 1: (Recommended)
This assumes you are using Amazon EFS Volumes
Perform Amazon EFS Volumes setup as mentioned here .
Mount the created ‘k2-volume-1-10-15-PRODUCTION’ EFS volume at /opt/k2-ic inside your application container using AWS ECS task definition like below:
{ "containerDefinitions": [ { "memory": 128, "portMappings": [ { "hostPort": 80, "containerPort": 80, "protocol": "tcp" } ], "essential": true, "mountPoints": [ { "containerPath": "/opt/k2-ic", "sourceVolume": "k2-volume-1-10-15-PRODUCTION" } ], "name": "application-container", "image": "nginx" } ], "volumes": [ { "name": "k2-volume-1-10-15-PRODUCTION", "efsVolumeConfiguration": { "fileSystemId": "fs-1324abcd", "transitEncryption": "ENABLED" } } ], "family": "test-application" }Attach the java agent to any Java application by adding the following to its JVM arguments. If you use more than one JVM agent in your application, be sure to require the K2 Java Agent last in the JVM arguments.:
-javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jarNote: If you are using Java 9 or above, please ensure to add java.sql module to your env. This can be done by adding a JVM argument to your application startup script. The said argument is --add-modules java.sql
To verify if the given application is protected by K2 Prevent-Web, refer to the "Protected processes" subsection of the "Applications" page and locate the application based on name and node IP. The host namespace PID(in case of a host application) and container namespace PID(in case of a containerised application) can also be used to locate the protected application.
You can check your application in Protected processes View under applications on K2 Portal. Alternatively go to Applications | K2 Portal
Option 2:
This method is ideal for a scenario when you don’t want to use extra AWS service like EFS in your ECS/Fargate cluster and hence this method requires you to bake-in K2’s Language Collector into your application image via your CI/CD system.
For this, please download corresponding Language collector with the following command :
sudo wget -O K2-JavaAgent-1.0.0-jar-with-dependencies.jar 'k2io.net/centralmanager/api/v1/help/installers/1.10.15/download/1047/300798214849606118866495933316568994702/vm-all.zip?agent_name=java&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=true'Once downloaded, place the extracted contents inside your application’s image at /opt/k2-ic location.
With this modified image of your application, create a pod & attach the java agent to your Java application by adding the following to its JVM arguments:
-javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jarNote: If you are using Java 9 or above, please ensure to add java.sql module to your env. This can be done by adding a JVM argument to your application startup script. The said argument is --add-modules java.sql
To verify if the given application is protected by K2 Prevent-Web, refer to the "Protected processes" subsection of the "Applications" page and locate the application based on name and node IP. The host namespace PID(in case of a host application) and container namespace PID(in case of a containerised application) can also be used to locate the protected application.
You can check your application in Protected processes View under applications on K2 Portal. Alternatively go to Applications | K2 Portal
Last updated
Was this helpful?