C
CrowdSec5mo ago
Fish alt#3000

No decisions are made when testing with nikto on Kubernetes

I know it should be because at one point it worked but I had other issues with it not getting the correct X-Forward-IP. That works now but decisions are no longer being made. Working with Kubernetes: 
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
    name: bouncer
    namespace: kube-system
spec:
    plugin:
        bouncer:
            Enabled: "true"
            crowdsecMode: live
            crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
            # LogLevel: DEBUG
            crowdsecLapiScheme: http
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
    name: bouncer
    namespace: kube-system
spec:
    plugin:
        bouncer:
            Enabled: "true"
            crowdsecMode: live
            crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
            # LogLevel: DEBUG
            crowdsecLapiScheme: http
Checking logs show that it is definitely connecting 
time="2025-04-24T07:16:14Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:14 UTC] \"GET /v1/decisions?ip=5.255.103.12&banned=true HTTP/1.1 200 10.647121ms \"Go-http-client/1.1\" \""
time="2025-04-24T07:16:18Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:18 UTC] \"GET /v1/decisions?ip=54.89.25.116&banned=true HTTP/1.1 200 12.017574ms \"Go-http-client/1.1\" \""
time="2025-04-24T07:16:19Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:19 UTC] \"GET /v1/decisions?ip=98.83.107.143&banned=true HTTP/1.1 200 14.463183ms \"Go-http-client/1.1\" \""
time="2025-04-24T07:16:14Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:14 UTC] \"GET /v1/decisions?ip=5.255.103.12&banned=true HTTP/1.1 200 10.647121ms \"Go-http-client/1.1\" \""
time="2025-04-24T07:16:18Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:18 UTC] \"GET /v1/decisions?ip=54.89.25.116&banned=true HTTP/1.1 200 12.017574ms \"Go-http-client/1.1\" \""
time="2025-04-24T07:16:19Z" level=info msg="10.42.1.1 - [Thu, 24 Apr 2025 07:16:19 UTC] \"GET /v1/decisions?ip=98.83.107.143&banned=true HTTP/1.1 200 14.463183ms \"Go-http-client/1.1\" \""
/ # cscli decisions list 
No active decisions
/ # cscli decisions list 
No active decisions
Which doesn't make much sense since I am running nikto.pl It did work at one point (see attached image). Anyone able to help me debug this issue?
No description
3 Replies
CrowdSec
CrowdSec5mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
Fish alt#3000
Fish alt#3000OP5mo ago
I can manually add a decision and I will get HTTP/1.1 403 Forbidden This probably has to do with crowdsec-lapi not getting the logs correctly 
container_runtime: containerd
agent:
  # To specify each pod you want to process it logs (pods present in the node)
  acquisition:
    # The namespace where the pod is located
    - namespace: kube-system
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
  # Those are ENV variables
  env:
    # As we are running Nginx, we want to install the Nginx collection
    - name: PARSERS
      value: "crowdsecurity/cri-logs"
    - name: COLLECTIONS
      value: "crowdsecurity/traefik"
    - name: DISABLE_PARSERS
      value: "crowdsecurity/whitelists"
  persistentVolume:
    config:
      enabled: false
lapi:
  dashboard:
    enabled: false
    ingress:
      host: dashboard.local
      enabled: true
  env:
    - name: ENROLL_KEY
      valueFrom:
        secretKeyRef:
          name: crowdsec-enroll
          key: enroll_key
    - name: ENROLL_INSTANCE_NAME
      value: "k3s_cluster"
    - name: ENROLL_TAGS
      value: "k3s"
container_runtime: containerd
agent:
  # To specify each pod you want to process it logs (pods present in the node)
  acquisition:
    # The namespace where the pod is located
    - namespace: kube-system
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
  # Those are ENV variables
  env:
    # As we are running Nginx, we want to install the Nginx collection
    - name: PARSERS
      value: "crowdsecurity/cri-logs"
    - name: COLLECTIONS
      value: "crowdsecurity/traefik"
    - name: DISABLE_PARSERS
      value: "crowdsecurity/whitelists"
  persistentVolume:
    config:
      enabled: false
lapi:
  dashboard:
    enabled: false
    ingress:
      host: dashboard.local
      enabled: true
  env:
    - name: ENROLL_KEY
      valueFrom:
        secretKeyRef:
          name: crowdsec-enroll
          key: enroll_key
    - name: ENROLL_INSTANCE_NAME
      value: "k3s_cluster"
    - name: ENROLL_TAGS
      value: "k3s"
root@kube ~/k/ingress (master)# kubectl get pods -n kube-system | grep trae
traefik-bxb86                             1/1     Running   0             66m
traefik-cppps                             1/1     Running   0             66m
traefik-ktnp2                             1/1     Running   0             66m
traefik-lbdk6                             1/1     Running   1 (25m ago)   66m
traefik-qtns2                             1/1     Running   0             66m
traefik-z2zfq                             1/1     Running   0             29m
root@kube ~/k/ingress (master)# kubectl get pods -n kube-system | grep trae
traefik-bxb86                             1/1     Running   0             66m
traefik-cppps                             1/1     Running   0             66m
traefik-ktnp2                             1/1     Running   0             66m
traefik-lbdk6                             1/1     Running   1 (25m ago)   66m
traefik-qtns2                             1/1     Running   0             66m
traefik-z2zfq                             1/1     Running   0             29m
time="2025-04-24T07:06:54Z" level=error msg="UnmarshalJSON : invalid character '\\x1b' looking for beginning of value" line="\x1b[90m2025-04-24T07:06:54Z\x1b[0m \x1b[31mERR\x1b[0m \x1b[1mError while updating ingress status\x1b[0m \x1b[36merror=\x1b[0m\x1b[31m\x1b[1m\"failed to update ingress status testing/helloworld: Operation cannot be fulfilled on ingresses.networking.k8s.io \\\"helloworld\\\": the object has been modified; please apply your changes to the latest version and try again\"\x1b[0m\x1b[0m \x1b[36mingress=\x1b[0mhelloworld \x1b[36mnamespace=\x1b[0mtesting \x1b[36mproviderName=\x1b[0mkubernetes"
time="2025-04-24T07:06:54Z" level=warning msg="failed to run filter : invalid character '\\x1b' looking for beginning of value (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, \"traefik\") in [\"\", nil]\n | ^" id=silent-forest name=child-crowdsecurity/traefik-logs stage=s01-parse
time="2025-04-24T07:06:54Z" level=error msg="UnmarshalJSON : invalid character '\\x1b' looking for beginning of value" line="\x1b[90m2025-04-24T07:06:54Z\x1b[0m \x1b[31mERR\x1b[0m \x1b[1mError while updating ingress status\x1b[0m \x1b[36merror=\x1b[0m\x1b[31m\x1b[1m\"failed to update ingress status testing/helloworld: Operation cannot be fulfilled on ingresses.networking.k8s.io \\\"helloworld\\\": the object has been modified; please apply your changes to the latest version and try again\"\x1b[0m\x1b[0m \x1b[36mingress=\x1b[0mhelloworld \x1b[36mnamespace=\x1b[0mtesting \x1b[36mproviderName=\x1b[0mkubernetes"
time="2025-04-24T07:06:54Z" level=warning msg="failed to run filter : invalid character '\\x1b' looking for beginning of value (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, \"traefik\") in [\"\", nil]\n | ^" id=silent-forest name=child-crowdsecurity/traefik-logs stage=s01-parse
There we go, the issue now why isn't my logs in JSON hmm Traefik from helm doesn't default to json logs worked! thank you empty thread for being my rubber duck
CrowdSec
CrowdSec5mo ago
Resolving No decisions are made when testing with nikto on Kubernetes This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?