viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Fix CrowdSec to monitor Traefik and add Slack notifications

Browse source 
- Switch acquisition from ingress-nginx to traefik namespace/pods
- Change collection from crowdsecurity/nginx to crowdsecurity/traefik
- Add Slack notification plugin for ban/captcha decisions
- Wire alertmanager_slack_api_url through to CrowdSec module
This commit is contained in:
Viktor Barzin 2026-02-11 22:25:03 +00:00
parent c8a41ac567
commit b4f68d99d8
3 changed files with 30 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/kubernetes/crowdsec/main.tf
View file

@ -7,6 +7,7 @@ variable "crowdsec_dash_api_key" { type = string } # used for web dash
variable "crowdsec_dash_machine_id" { type = string } # used for web dash variable "crowdsec_dash_machine_id" { type = string } # used for web dash
variable "crowdsec_dash_machine_password" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { type = string } # used for web dash
variable "tier" { type = string } variable "tier" { type = string }
variable "slack_webhook_url" { type = string }
module "tls_secret" { module "tls_secret" {
source = "../setup_tls_secret" source = "../setup_tls_secret"
@ -97,7 +98,7 @@ resource "helm_release" "crowdsec" {
repository = "https://crowdsecurity.github.io/helm-charts" repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec" chart = "crowdsec"
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })] values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url })]
timeout = 3600 timeout = 3600
} }

32
modules/kubernetes/crowdsec/values.yaml
View file

@ -5,19 +5,19 @@ agent:
# To specify each pod you want to process it logs (pods present in the node) # To specify each pod you want to process it logs (pods present in the node)
acquisition: acquisition:
# The namespace where the pod is located # The namespace where the pod is located
- namespace: ingress-nginx - namespace: traefik
# The pod name # The pod name
podName: ingress-nginx-controller-* podName: traefik-*
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
program: nginx program: traefik
# Those are ENV variables # Those are ENV variables
env: env:
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API. # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
# - name: DISABLE_ONLINE_API # - name: DISABLE_ONLINE_API
# value: "true" # value: "true"
# As we are running Nginx, we want to install the Nginx collection # As we are running Traefik, we want to install the Traefik collection
- name: COLLECTIONS - name: COLLECTIONS
value: "crowdsecurity/nginx crowdsecurity/base-http-scenarios crowdsecurity/http-cve" value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve"
- name: SCENARIOS - name: SCENARIOS
value: "" value: ""
# value: "crowdsecurity/http-crawl-aggressive" # value: "crowdsecurity/http-crawl-aggressive"
@ -133,6 +133,8 @@ config:
decisions: decisions:
- type: captcha - type: captcha
duration: 4h duration: 4h
notifications:
- slack_alerts
on_success: break on_success: break
--- ---
# Default: Ban for serious attacks (CVE exploits, scanners, brute force) # Default: Ban for serious attacks (CVE exploits, scanners, brute force)
@ -142,6 +144,8 @@ config:
decisions: decisions:
- type: ban - type: ban
duration: 4h duration: 4h
notifications:
- slack_alerts
on_success: break on_success: break
--- ---
name: default_range_remediation name: default_range_remediation
@ -150,6 +154,8 @@ config:
decisions: decisions:
- type: ban - type: ban
duration: 4h duration: 4h
notifications:
- slack_alerts
on_success: break on_success: break
config.yaml.local: | config.yaml.local: |
@ -170,3 +176,19 @@ config:
- "192.168.0.0/16" - "192.168.0.0/16"
- "10.0.0.0/8" - "10.0.0.0/8"
- "172.16.0.0/12" - "172.16.0.0/12"
notifications:
slack.yaml: |
type: slack
name: slack_alerts
log_level: info
format: |
:rotating_light: *CrowdSec Alert*
{{range .}}
*Scenario:* {{.Alert.Scenario}}
*Source IP:* {{.Alert.Source.IP}} ({{.Alert.Source.Cn}})
*Decisions:*
{{range .Alert.Decisions}} - {{.Type}} for {{.Duration}} (scope: {{.Scope}}, value: {{.Value}})
{{end}}
{{end}}
webhook: ${SLACK_WEBHOOK_URL}

1
modules/kubernetes/main.tf
View file

@ -589,6 +589,7 @@ module "crowdsec" {
crowdsec_dash_api_key = var.crowdsec_dash_api_key crowdsec_dash_api_key = var.crowdsec_dash_api_key
crowdsec_dash_machine_id = var.crowdsec_dash_machine_id crowdsec_dash_machine_id = var.crowdsec_dash_machine_id
crowdsec_dash_machine_password = var.crowdsec_dash_machine_password crowdsec_dash_machine_password = var.crowdsec_dash_machine_password
slack_webhook_url = var.alertmanager_slack_api_url
} }
module "resume" { module "resume" {