🚀 crowdsec demo

kubernetes/cluster-0/apps/kustomization.yaml

@@ -14,5 +14,6 @@ resources:
   - ./media-servers
   - ./monitoring
   - ./networking
+  # - ./security
   - ./storage
   - ./web-tools

kubernetes/cluster-0/apps/namespaces.yaml

@@ -1,6 +1,13 @@
 ---
 apiVersion: v1
 kind: Namespace
+metadata:
+  name: crowdsec
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+---
+apiVersion: v1
+kind: Namespace
 metadata:
   name: default
   labels:

kubernetes/cluster-0/apps/networking/ingress-nginx/helmrelease.yaml

@@ -51,6 +51,9 @@ spec:
         service-upstream: "true"
         ssl-protocols: "TLSv1.3 TLSv1.2"
         use-forwarded-headers: "true"
+        # crowdsec bouncer
+        # plugins: "crowdsec"
+        # lua-shared-dicts: "crowdsec_cache: 50m"
       metrics:
         enabled: true
         serviceMonitor:
@@ -69,12 +72,46 @@ spec:
             matchLabels:
               app.kubernetes.io/name: ingress-nginx
               app.kubernetes.io/component: controller
-      resources:
-        requests:
-          memory: 400Mi
-          cpu: 25m
-        limits:
-          memory: 1Gi
+      # crowdsec bouncer
+      # extraVolumes:
+      # - name: crowdsec-bouncer-plugin
+      #   emptyDir: {}
+      # extraInitContainers:
+      # - name: init-clone-crowdsec-bouncer
+      #   image: crowdsecurity/lua-bouncer-plugin
+      #   tag: v0.1.11
+      #   imagePullPolicy: IfNotPresent
+      #   env:
+      #     - name: API_URL
+      #       value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
+      #     - name: API_KEY
+      #       value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}"
+      #     - name: DISABLE_RUN
+      #       value: "true"
+      #     - name: BOUNCER_CONFIG
+      #       value: "/crowdsec/crowdsec-bouncer.conf"
+      #   command:
+      #     - "/bin/sh"
+      #     - "-c"
+      #     - |
+      #       #!/bin/sh
+
+      #       sh /docker_start.sh
+      #       mkdir -p /lua_plugins/crowdsec/
+      #       cp -pr /crowdsec/* /lua_plugins/crowdsec/
+      #   volumeMounts:
+      #   - name: crowdsec-bouncer-plugin
+      #     mountPath: /lua_plugins
+      # extraVolumeMounts:
+      # - name: crowdsec-bouncer-plugin
+      #   mountPath: /etc/nginx/lua/plugins/crowdsec
+      #   subPath: crowdsec
+      # resources:
+      #   requests:
+      #     memory: 400Mi
+      #     cpu: 25m
+      #   limits:
+      #     memory: 1Gi
     defaultBackend:
       enabled: true
       image:

kubernetes/cluster-0/apps/security/crowdsec/helmrelease.yaml

@@ -0,0 +1,120 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: crowdsec
+  namespace: crowdsec
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: crowdsec
+      version: 0.8.2
+      sourceRef:
+        kind: HelmRepository
+        name: crowdsec
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    container_runtime: containerd
+    image:
+      repository: crowdsecurity/crowdsec
+      tag: v1.4.3
+    lapi:
+      env:
+        # by default disable the agent for local API pods
+        - name: DISABLE_AGENT
+          value: "true"
+        - name: ENROLL_KEY
+          valueFrom:
+            secretKeyRef:
+              name: crowdsec-config
+              key: enroll_key
+        - name: ENROLL_INSTANCE_NAME
+          value: "talos@cluster-0"
+      dashboard:
+        enabled: false
+        ingress:
+          enabled: false
+          annotations:
+          ingressClassName: nginx
+          host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+          tls:
+            - hosts:
+              - *host
+      resources:
+        requests:
+          cpu: 150m
+          memory: 100M
+        limits:
+          memory: 100M
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+        data:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 1Gi
+        # -- Persistent volume for config folder. Stores e.g. online api credentials
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteOnce
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: false
+        serviceMonitor:
+          enabled: false
+      strategy:
+        type: Recreate
+    agent:
+      # To specify each pod you want to process it logs (pods present in the node)
+      acquisition:
+        # The namespace where the pod is located
+        - namespace: ingress-nginx
+          # The pod name
+          podName: ingress-nginx-controller-*
+          # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
+          program: nginx
+      # Those are ENV variables
+      env:
+        # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
+        - name: DISABLE_crONLINE_API
+          value: "true"
+        # As we are running Nginx, we want to install the Nginx collection
+        - name: COLLECTIONS
+          value: "crowdsecurity/nginx crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pgsql crowdsecurity/sshd"
+        - name: PARSERS
+          value: "crowdsecurity/cri-logs"
+        - name: TZ
+          value: "${TIMEZONE}"
+        - name: DISABLE_ONLINE_API
+          value: "false"
+      resources:
+        limits:
+          memory: 100Mi
+        requests:
+          cpu: 150m
+          memory: 100Mi
+      # -- Enable persistent volumes
+      persistentVolume:
+        # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+        config:
+          enabled: true
+          accessModes:
+            - ReadWriteMany
+          storageClassName: rook-ceph-filesystem
+          size: 100Mi
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true

kubernetes/cluster-0/apps/security/crowdsec/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/cluster-0/apps/security/crowdsec/secret.sops.yaml

@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: crowdsec-config
+    namespace: crowdsec
+type: Opaque
+stringData:
+    enroll_key: ENC[AES256_GCM,data:ret34T4Bcdua76M8s19bLeNTUWweVqPg5Q==,iv:q9sXlIUAkRi4Gu1+uhVWW5WCDuUCn6ZAV+UjtK1hkAQ=,tag:zXCtO2dpokZ57/NTthItig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
+            YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
+            Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
+            OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
+            hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-23T02:14:45Z"
+    mac: ENC[AES256_GCM,data:Y5ZzEfUbfy4hs6CpxZOW9/jSzp/lRaL28vB81BHFnUCDH9hHiCLMhb64SfJdCOgxP1HjKRbsQgSLdQD0W1Q7udtsXFVFg+LnND++ukWaXESj/USb25o9RT8Kn94RePLzeDdOkAR9hYS+YViKjdvdck2oKwr1cy8slcgHDXi83LI=,iv:/iBS+i43BaSOBZGUeNxUnqn4sgX12GozkQdUuLLsvMM=,tag:JLwY15QfNLWRJax2nKdcbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/cluster-0/apps/security/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./crowdsec