Configuring Sensor Auto Scaling and Scan Scaling

Optionally, you can configure sensor auto scaling and scan scaling for a sensor pool on the Scan Scaling page.

Important! When sensor auto scaling is configured, the DAST Global Service manages the scaling of sensors within your Kubernetes environment. However, to configure scan scaling, you must first configure a WebInspect Script Engine (WISE) cluster in Kubernetes. For more information about scan scaling, see Integrating with Kubernetes for Scan Scaling.

Understanding Sensor Auto Scaling

When creating or editing a sensor pool, you can configure sensor auto scaling for the pool. Sensor auto scaling applies only to sensors that are installed in your Kubernetes environment. These sensors are known as “scaled" or "scalable” sensors.

When sensor auto scaling is enabled for the sensor pool and a scan is queued, the DAST Global Service checks the number of running instances of a sensor. If the number of running instances is less than the maximum replica specified in the settings for sensor auto scaling, then the DAST Global Service will create a Kubernetes job that starts the container, runs the scan, and shuts down the container.

If a sensor is in the sensor pool but has been configured outside of Kubernetes, and the sensor is online and available, ScanCentral DAST will use this sensor rather than sensor auto scaling. Sensors that are configured outside of Kubernetes are known as “fixed” sensors.

Important Information about Privileges for Service Account Tokens

Configuring sensor auto scaling requires the use of an access token for the Kubernetes environment. Ensure that the token does not have rights to create namespaces. Allowing the creation of namespaces might create a privilege escalation vulnerability in Kubernetes.

Configuring Sensor Auto Scaling

Configure sensor auto scaling in the SENSOR AUTO SCALING area as follows:

  1. Slide the Disabled-Enabled toggle to Enabled.

  2. In the Host box, enter the host URL for the Kubernetes environment.

  3. Configure an access token for the Kubernetes environment according to the following table.

    To... Then...

    Read the token from the default path in Kubernetes 1

    In the Access Token Type list, select Default Service Account Token.

    Important! The Default Service Account Token is not supported on Windows.

    Specify the path to the token in the container

    Note: This can be used if auto-mounting the service account token is disabled or if there is a different path to the token.

    1. In the Access Token Type list, select Service Account Token Path.

    2. In the Access Token box, enter the path to the token.

      Example:

      /var/run/secrets/tokens/my-token

    Specify a long-lived access token

    1. In the Access Token Type list, select Static API Token.

    2. In the Access Token box, enter the token.

  4. Optionally, in the Job Namespace box, enter a namespace to provide Kubernetes.

    Note: If you do not provide a namespace, then Kubernetes will use the default namespace.

  5. In the Maximum Replicas list, enter the maximum number of sensor replicas that can be run in this pool in the Kubernetes environment.

    Note: The minimum number of replicas allowed is 1.

  6. In the Job Template list, select a template to use for sensor scaling. For more information, see Working with Auto Scale Job Templates.

Configuring Scan Scaling

Important! We recommend that scan queues be empty before modifying scan scaling settings.

Configure scan scaling in the SCAN SCALING area as follows:

  1. Slide the Disabled-Enabled toggle to Enabled.

  2. In the Host box, enter the Kubernetes ingress host URL that was configured when the WISE cluster was deployed in Kubernetes. It uses the WebSocket protocol such as ws://<wise-cluster-ingress-hostname>/.

  3. In the Authorization Token box, enter the token used to authenticate the sensor to use the WISE Kubernetes cluster.

    Tip: This user-specified token was generated by the --set wise.authtoken command during the WISE Helm installation.

  4. Do one of the following:

    • To allow ScanCentral DAST to scale the number of script engine pools to equal the number of crawl and audit threads in the scan, select Automatically set script engines per scan check box.

    • To specify a maximum number of script engine pools per scan, clear the Automatically set script engines per scan check box, and then enter a number in the Maximum script engines per scan box.

      Tip: If your Kubernetes cluster has limited resources, setting the Maximum script engines per scan limits the amount of resources used in scan scaling and avoids having one or two scans consume all of your resources.

What's Next?

After you configure sensor auto scaling and scan scaling, do the following:

  1. Click Review in the menu or click NEXT.

    Review your sensor pool settings.

  2. Click SAVE.

    The pool is added to the Sensor Pools list.