How to mitigate security threats with CrowdSec in Kubernetes using Traefik
How to integrate CrowdSec into K8s with Traefik as an ingress controller to mitigate security threats.
Previously we published 2 articles part1 & part2 covering Kubernetes Crowdsec integration with Nginx as an ingress controller. Now we will explain how to integrate Crowdsec in a k8s cluster with Traefik as an ingress controller to increase the level of security.
In this article, we'll set up a k8s cluster locally using Kind and set up ingress using the Traefik ingress controller. The latter acts as a modern HTTP reverse proxy and a load balancer that simplifies the deployment of microservices. Then we will install CrowdSec to parse Traefik ingress logs and install the Crowdsec Traefik bouncer to remediate the attacks on the ingress controller.
Before we deep dive into the tutorial. We invite you to join our webinar with Traefik Labs where we will show you how to integrate CrowdSec into your Kubernetes cluster with Traefik as an ingress controller to detect and remediate security threats. You will get a chance to ask the CrowdSec team questions you may have. Register here.
Before you start this step-by-step guide, make sure you have:
If you are ready, let's get started!
Deploying K8s cluster
Kind cluster configuration kind.yaml
Create kind cluster:
Deploying Traefik Ingress Controller
Traefik Ingress helm values ingress-traefik-kind-values.yaml
Install Traefik Ingress:
Microservice example app (HelloWorld)
Helloworld app helm values configuration helloworld-values.yaml:
Install the helloworld app (included in the Crowdsec helm charts repo):
Don't forget to edit /etc/hosts to be able to access the helloworld app:
Then try to access it
Before installing Crowdsec, let's create an account and connect to the Console, an easy-to-use web interface to inspect multiple CrowdSec agent signals spread across different networks, to have better visualization of our alerts.
To link our Crowdsec instance to the console, we need to enroll it. So, retrieve the enrollment key from the console by clicking on add instance once connected, then copy the enrollment key provided (see the screenshot below).
In our example, we'll add an instance_name as k8s_cluster and some tags (linux, k8s, test) to easily find our instance in the Console.
CrowdSec helm values configuration crowdsec-values.yaml
Install CrowdSec helm:
After installing, CrowdSec starts running and if we go back to our console, we can see there is a new instance to accept (see screenshot below).
Accept the instance and restart the crowdsec-lapi-*, so the signals will begin to be available in the console.
We will now try to attack the helloworld app and see if CrowdSec detects and raises a ban against the attack.
Let's attempt the attack using nikto:
Then get shell on the crowdsec-lapi pod and see if there is a decision
We can see that CrowdSec detected multiple attacks (it only shows the last attack type). Using the Console, we can already see the alerts (see screenshot below).
Since the cluster is installed locally, we have private IP in the alerts.
Now we need to block this IP on the Traefik ingress controller. Still in the crowdsec-lapi shell, generate a bouncer API key.
Install CrowdSec Traefik bouncer
Traefik CrowdSec middleware bouncer k8s configuration crowdsec-traefik-bouncer-values.yaml
The bouncer needs the API key generated previously and the CrowdSec local API endpoint service.
Install bouncer helm (in the same namespace as the Traefik ingress controller)
Now the bouncer is installed, it will show on helm notes how to integrate it as middleware in Traefik.
We choose to install it as a global middleware (for all my applications). So we need to upgrade Traefik helm values (ingress-traefik-kind-values.yaml) adding:
Now upgrade command:
Now we can check in the Traefik interface that there is a new middleware. For that we need to set a port-forward so we can access to the Traefik dashboard.
And go to: http://localhost:9000/dashboard/#/http/middlewares. You will see the Crowdsec Traefik bouncer as a new middleware available.
Also all the routers on entrypoints web and websecure will have the new middleware enabled by default.
As we already used nikto and attacked our helloworld app, CrowdSec already raised a decision against our IP. We are now blocked by the middleware.
We can unban our IP and retry to access it again:
As you've seen, the integration is pretty easy to implement Crowdsec, Traefik and the bouncer which allow you to have a powerful and secure ingress controller. Join our joint webinar with Traefik Labs to see how to mitigate security threats with CrowdSec and Traefik.
Sign up here. This will learn how to integrate CrowdSec into your Kubernetes cluster with Traefik as an ingress controller to detect and remediate security threats and get to ask questions you may have! Join us on May 18.