search

crowdsecurity / helm-charts

CrowdSec community kubernetes helm charts
MIT License
26 stars 33 forks source link

Bug: auto registration not working for appsec #203

Open TimP4w opened 12 hours ago

TimP4w commented 12 hours ago

Not sure if it's a missconfiguration or an actual bug, however appsec autoregistration fails all the time and i have to manually validate it via cscli.

The issue is that being a deployment, every time a new pod is created it needs to be revalidated manually. Is this the desired behaviour or a bug?

This is the log I get


│ time="2024-11-24T16:55:04Z" level=fatal msg="unable to start crowdsec routines: authenticate watcher (security-crowdsec-appsec-b8ff487bd-kjl4z): API error: machine security-crowdsec-appsec-b8ff487bd-kjl4z not validated"

My values.yaml

    container_runtime: containerd
    agent:
      acquisition:
        - namespace: network
          podName: traefik-*
          program: traefik
          poll_without_inotify: true
        - namespace: authentik
          podName: authentik-*
          program: authentik
          poll_without_inotify: true
        - namespace: homeassistant
          podName: homeassistant-*
          program: home-assistant
          poll_without_inotify: true
      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
          additionalLabels:
            app.kubernetes.io/component: monitoring
      env:
        - name: PARSERS
          value: "crowdsecurity/cri-logs crowdsecurity/whitelists"
        - name: COLLECTIONS
          value: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/home-assistant firix/authentik"

    lapi:
      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
          additionalLabels:
            app.kubernetes.io/component: monitoring
      env:
        - name: ENROLL_KEY
          value: "<enroll key>"
        - name: ENROLL_INSTANCE_NAME
          value: "..."
        - name: ENROLL_TAGS
          value: "..."
        - name: BOUNCER_KEY_traefik
          value: "..."

    appsec:
      enabled: true
      acquisitions:
        - source: appsec
          listen_addr: "0.0.0.0:7422"
          path: /
          appsec_config: crowdsecurity/appsec-default
          labels:
            type: appsec
      env:
        - name: COLLECTIONS
          value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules"
        - name: APPSEC_CONFIGS
          value: "crowdsecurity/appsec-default"

I can see that the secret crowdsec-lapi-secrets exists and it's attached to the pod, and the wait-for-lapi-and-register job succeeds and registers appsec with the local LAPI

level=info msg="Successfully registered to Local API (LAPI)"                                                                                                                                                                                                                                                           
level=info msg="Local API credentials written to '/etc/crowdsec/local_api_credentials.yaml'"                                                                                                                                                                                                                           
level=warning msg="Run 'sudo systemctl reload crowdsec' for the new configuration to be effective."

However cscli machine list shows it as not validated

security-crowdsec-lapi-69668bb5db-6cngc:/# cscli machine list
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                              IP Address   Last Update           Status  Version                 OS                            Auth Type  Last Heartbeat
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ...
 security-crowdsec-appsec-b8ff487bd-kjl4z          10.42.2.30   2024-11-24T16:54:59Z  🚫                              ?                             password   ⚠️ -
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
github-actions[bot] commented 12 hours ago

@TimP4w: Thanks for opening an issue, it is currently awaiting triage.

If you haven't already, please provide the following information:

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/helm-charts/blob/main/.github/governance.yaml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project [rr404/oss-governance-bot](https://github.com/rr404/oss-governance-bot) repository.
github-actions[bot] commented 12 hours ago

@TimP4w: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/helm-charts/blob/main/.github/governance.yaml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the forked project [rr404/oss-governance-bot](https://github.com/rr404/oss-governance-bot) repository.