🚀 crowdsec demo

This commit is contained in:
auricom
2022-12-22 23:25:27 +01:00
parent c75d8350bd
commit 5b2893786f
11 changed files with 224 additions and 9 deletions

View File

@@ -14,5 +14,6 @@ resources:
- ./media-servers
- ./monitoring
- ./networking
# - ./security
- ./storage
- ./web-tools

View File

@@ -1,6 +1,13 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: crowdsec
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
---
apiVersion: v1
kind: Namespace
metadata:
name: default
labels:

View File

@@ -51,6 +51,9 @@ spec:
service-upstream: "true"
ssl-protocols: "TLSv1.3 TLSv1.2"
use-forwarded-headers: "true"
# crowdsec bouncer
# plugins: "crowdsec"
# lua-shared-dicts: "crowdsec_cache: 50m"
metrics:
enabled: true
serviceMonitor:
@@ -69,12 +72,46 @@ spec:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
resources:
requests:
memory: 400Mi
cpu: 25m
limits:
memory: 1Gi
# crowdsec bouncer
# extraVolumes:
# - name: crowdsec-bouncer-plugin
# emptyDir: {}
# extraInitContainers:
# - name: init-clone-crowdsec-bouncer
# image: crowdsecurity/lua-bouncer-plugin
# tag: v0.1.11
# imagePullPolicy: IfNotPresent
# env:
# - name: API_URL
# value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
# - name: API_KEY
# value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
# - name: DISABLE_RUN
# value: "true"
# - name: BOUNCER_CONFIG
# value: "/crowdsec/crowdsec-bouncer.conf"
# command:
# - "/bin/sh"
# - "-c"
# - |
# #!/bin/sh
# sh /docker_start.sh
# mkdir -p /lua_plugins/crowdsec/
# cp -pr /crowdsec/* /lua_plugins/crowdsec/
# volumeMounts:
# - name: crowdsec-bouncer-plugin
# mountPath: /lua_plugins
# extraVolumeMounts:
# - name: crowdsec-bouncer-plugin
# mountPath: /etc/nginx/lua/plugins/crowdsec
# subPath: crowdsec
# resources:
# requests:
# memory: 400Mi
# cpu: 25m
# limits:
# memory: 1Gi
defaultBackend:
enabled: true
image:

View File

@@ -0,0 +1,120 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: crowdsec
namespace: crowdsec
spec:
interval: 15m
chart:
spec:
chart: crowdsec
version: 0.8.2
sourceRef:
kind: HelmRepository
name: crowdsec
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
container_runtime: containerd
image:
repository: crowdsecurity/crowdsec
tag: v1.4.3
lapi:
env:
# by default disable the agent for local API pods
- name: DISABLE_AGENT
value: "true"
- name: ENROLL_KEY
valueFrom:
secretKeyRef:
name: crowdsec-config
key: enroll_key
- name: ENROLL_INSTANCE_NAME
value: "talos@cluster-0"
dashboard:
enabled: false
ingress:
enabled: false
annotations:
ingressClassName: nginx
host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
tls:
- hosts:
- *host
resources:
requests:
cpu: 150m
memory: 100M
limits:
memory: 100M
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
data:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-filesystem
size: 1Gi
# -- Persistent volume for config folder. Stores e.g. online api credentials
config:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-filesystem
size: 100Mi
metrics:
enabled: false
serviceMonitor:
enabled: false
strategy:
type: Recreate
agent:
# To specify each pod you want to process it logs (pods present in the node)
acquisition:
# The namespace where the pod is located
- namespace: ingress-nginx
# The pod name
podName: ingress-nginx-controller-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx
# Those are ENV variables
env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_crONLINE_API
value: "true"
# As we are running Nginx, we want to install the Nginx collection
- name: COLLECTIONS
value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
- name: PARSERS
value: "crowdsecurity/cri-logs"
- name: TZ
value: "${TIMEZONE}"
- name: DISABLE_ONLINE_API
value: "false"
resources:
limits:
memory: 100Mi
requests:
cpu: 150m
memory: 100Mi
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
config:
enabled: true
accessModes:
- ReadWriteMany
storageClassName: rook-ceph-filesystem
size: 100Mi
metrics:
enabled: true
serviceMonitor:
enabled: true

View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml
- ./secret.sops.yaml

View File

@@ -0,0 +1,29 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: crowdsec-config
namespace: crowdsec
type: Opaque
stringData:
enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-23T02:14:45Z"
mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./crowdsec