CrowdSec real enforcement: edge WAF (proxied) + firewall-bouncer (direct) #2

Merged

viktor merged 6 commits from wizard/crowdsec-enforcement into master 2026-06-20 09:42:41 +00:00

Conversation 0 Commits 6 Files changed 6 +903 -1

viktor commented 2026-06-20 09:42:21 +00:00

Owner

Copy link

Replaces the dead Traefik Yaegi plugin. Foundation: whitelist internal CIDRs + register kvsync/firewall bouncer keys. Proxied: CF IP Lists + zone WAF rule (block/managed_challenge) covering all proxied hosts, fed by a LAPI->CF-list sync CronJob. Direct: cs-firewall-bouncer DaemonSet (nftables, pinned to k8s-node2 for one-node validation). See commits.

Replaces the dead Traefik Yaegi plugin. Foundation: whitelist internal CIDRs + register kvsync/firewall bouncer keys. Proxied: CF IP Lists + zone WAF rule (block/managed_challenge) covering all proxied hosts, fed by a LAPI->CF-list sync CronJob. Direct: cs-firewall-bouncer DaemonSet (nftables, pinned to k8s-node2 for one-node validation). See commits.

viktor added 6 commits 2026-06-20 09:42:22 +00:00

crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer ... 0ac176da01

Preparing for real CrowdSec enforcement (edge Cloudflare Worker for proxied
hosts + cs-firewall-bouncer for direct hosts). Both enforce by dropping the
real source IP, so if an internal/RFC1918 address ever ended up in a ban
decision it could blackhole legitimate internal traffic. Whitelisting the
cluster/LAN/tailnet ranges (10/8, 172.16/12, 192.168/16, 100.64/10) at the
CrowdSec parser layer makes that structurally impossible — a trusted source
can never produce a decision in the first place. Public IP already whitelisted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

rybbit: add CrowdSec LAPI -> Cloudflare KV sync script (proxied edge control plane) ... 4d9fdbc7f7

Pure-stdlib script (alert_digest pattern, runs on stock python:3.12-alpine) that
projects CrowdSec Ip-scope ban/captcha decisions into the Workers KV namespace
the edge Worker reads on each proxied request. Full-reconcile per run so an
un-ban clears from the edge within one interval; fail-safe (a LAPI read error
skips the run and leaves existing bans to expire by TTL = fail-open, never a
stale all-block). TF wiring (KV namespace + CronJob + key registration) follows.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

crowdsec: register kvsync + firewall bouncer keys in LAPI ... 38675b7922

Seeds two new bouncers at LAPI startup (BOUNCER_KEY_kvsync, BOUNCER_KEY_firewall)
from Vault secret/platform, mirroring the existing BOUNCER_KEY_traefik wiring.
These are the two halves of the real enforcement that replaces the dead Yaegi
plugin: kvsync authenticates the LAPI->Cloudflare-KV sync (proxied edge Worker),
firewall authenticates the cs-firewall-bouncer DaemonSet (direct-host nftables).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

crowdsec: add cs-firewall-bouncer DaemonSet (direct-host nftables enforcement) ... 7e646e1c7c

Drops banned source IPs in-kernel via nftables (hooks input+forward, so DNAT'd
LoadBalancer traffic is caught before reaching Traefik) for DIRECT hosts — the
direct-side replacement for the dead Traefik plugin, zero per-request hop.

No published image exists, so an initContainer fetches the pinned official
static binary (v0.0.34) onto a stock debian-slim base (nftables backend uses
netlink directly, no nft CLI needed). hostNetwork + NET_ADMIN/NET_RAW (not
privileged). Config (with api_key) in a Secret, Reloader-annotated. crowdsec ns
is already in the Kyverno wave-1 exclude list, so the privileged/hostNetwork pod
is admitted. Pinned to k8s-node2 (runs a Traefik pod) for one-node validation
before the nodeSelector is removed to roll cluster-wide. Fail-open by element
timeout if the bouncer stops.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

rybbit: proxied CrowdSec enforcement via Cloudflare IP Lists + WAF rule ... cc4bfb593b

Replaces the Worker+KV approach (which only covered the ~27 routed hosts) with a
zone-wide mechanism that covers ALL proxied hosts: two CF account IP Lists
(crowdsec_ban, crowdsec_captcha) + one zone WAF custom rule that blocks
`(ip.src in $crowdsec_ban)` and managed-challenges `(ip.src in $crowdsec_captcha)`.
No per-request Worker, no cookie machinery — the rybbit Worker stays
analytics-only. lapi_kv_sync.py now full-reconciles the two lists from LAPI
(fail-safe: a LAPI blip skips the run and freezes the last-known-good block set;
serializes CF bulk ops since CF allows one pending op per account). A
least-privilege CF API token (Account Filter Lists Edit) is minted in TF.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

rybbit: use 'Account Rule Lists' permission group for the CF sync token (v4) ... ca8d617e72

tg plan verified the agent's guess 'Account Filter Lists Edit/Read' is not a key in the v4.52.7 permission-group map; the live CF API lists the correct account-scoped groups as 'Account Rule Lists Read'/'Write'.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

viktor merged commit 70e8ce1021 into master 2026-06-20 09:42:41 +00:00

viktor referenced this pull request from a commit 2026-06-20 09:42:43 +00:00

Merge pull request 'CrowdSec real enforcement: edge WAF (proxied) + firewall-bouncer (direct)' (#2) from wizard/crowdsec-enforcement into master

viktor referenced this pull request 2026-06-20 19:05:13 +00:00

Fix CrowdSec firewall-bouncer tar + CF WAF ruleset import #3

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: viktor/infra#2

No description provided.