dea1cec3d0
Kyverno injects priorityClassName tier-1-cluster on pods in the crowdsec namespace, but pods had no explicit priorityClassName set, defaulting priority to 0. Admission controller rejected the mismatch (0 vs 800000). Set priorityClassName on LAPI, agent (Helm values) and crowdsec-web (Terraform deployment).
196 lines
6.8 KiB
YAML
196 lines
6.8 KiB
YAML
# values from - https://github.com/crowdsecurity/helm-charts/blob/main/charts/crowdsec/values.yaml
|
|
container_runtime: containerd
|
|
|
|
agent:
|
|
priorityClassName: "tier-1-cluster"
|
|
# To specify each pod you want to process it logs (pods present in the node)
|
|
acquisition:
|
|
# The namespace where the pod is located
|
|
- namespace: traefik
|
|
# The pod name
|
|
podName: traefik-*
|
|
# as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
|
|
program: traefik
|
|
# Those are ENV variables
|
|
env:
|
|
# As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
|
|
# - name: DISABLE_ONLINE_API
|
|
# value: "true"
|
|
# As we are running Traefik, we want to install the Traefik collection
|
|
- name: COLLECTIONS
|
|
value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve"
|
|
- name: SCENARIOS
|
|
value: ""
|
|
# value: "crowdsecurity/http-crawl-aggressive"
|
|
# Mount custom scenarios into /etc/crowdsec/scenarios
|
|
extraVolumeMounts:
|
|
- name: custom-scenarios
|
|
mountPath: /etc/crowdsec/scenarios/http-403-abuse.yaml
|
|
subPath: "http-403-abuse.yaml"
|
|
readonly: true
|
|
- name: custom-scenarios
|
|
mountPath: /etc/crowdsec/scenarios/http-429-abuse.yaml
|
|
subPath: "http-429-abuse.yaml"
|
|
readonly: true
|
|
- name: whitelist
|
|
mountPath: /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
|
|
subPath: "whitelist.yaml"
|
|
readonly: true
|
|
extraVolumes:
|
|
- name: custom-scenarios
|
|
configMap:
|
|
name: crowdsec-custom-scenarios
|
|
- name: whitelist
|
|
configMap:
|
|
name: crowdsec-whitelist
|
|
lapi:
|
|
priorityClassName: "tier-1-cluster"
|
|
replicas: 3
|
|
extraSecrets:
|
|
dbPassword: "${DB_PASSWORD}"
|
|
storeCAPICredentialsInSecret: true
|
|
persistentVolume:
|
|
config:
|
|
enabled: false
|
|
data:
|
|
enabled: false
|
|
env:
|
|
- name: ENROLL_KEY
|
|
value: "${ENROLL_KEY}"
|
|
- name: ENROLL_INSTANCE_NAME
|
|
value: "k8s-cluster"
|
|
- name: ENROLL_TAGS
|
|
value: "k8s linux"
|
|
- name: DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: crowdsec-lapi-secrets
|
|
key: dbPassword
|
|
# As it's a test, we don't want to share signals with CrowdSec, so disable the Online API.
|
|
# - name: DISABLE_ONLINE_API
|
|
# value: "true"
|
|
dashboard:
|
|
enabled: true
|
|
env:
|
|
- name: MB_DB_TYPE
|
|
value: "mysql"
|
|
- name: MB_DB_DBNAME
|
|
value: crowdsec-metabase
|
|
- name: MB_DB_USER
|
|
value: "crowdsec"
|
|
- name: MB_DB_PASS
|
|
value: "${DB_PASSWORD}"
|
|
- name: MB_DB_HOST
|
|
value: "mysql.dbaas.svc.cluster.local"
|
|
|
|
- name: MB_EMAIL_SMTP_USERNAME
|
|
value: "info@viktorbarzin.me"
|
|
- name: MB_EMAIL_FROM_ADDRESS
|
|
value: "info@viktorbarzin.me"
|
|
- name: MB_EMAIL_SMTP_HOST
|
|
value: "mailserver.mailserver.svc.cluster.local"
|
|
- name: MB_EMAIL_SMTP_PASSWORD
|
|
value: "" # Ignore for now as it's unclear what notifications we can get
|
|
- name: MB_EMAIL_SMTP_PORT
|
|
value: "587"
|
|
- name: MB_EMAIL_SMTP_SECURITY
|
|
value: "starttls"
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
|
#nginx.ingress.kubernetes.io/auth-url: "https://oauth2.viktorbarzin.me/oauth2/auth"
|
|
nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
|
|
# nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
|
|
nginx.ingress.kubernetes.io/auth-signin: "https://authentik.viktorbarzin.me/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri"
|
|
nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
|
|
nginx.ingress.kubernetes.io/auth-snippet: "proxy_set_header X-Forwarded-Host $http_host;"
|
|
gethomepage.dev/enabled: "true"
|
|
gethomepage.dev/description: "Web Application Firewall"
|
|
gethomepage.dev/icon: "crowdsec.png"
|
|
gethomepage.dev/name: "CrowdSec"
|
|
gethomepage.dev/widget.type: "crowdsec"
|
|
gethomepage.dev/widget.url: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
|
|
gethomepage.dev/widget.username: "${homepage_username}"
|
|
gethomepage.dev/widget.password: "${homepage_password}"
|
|
gethomepage.dev/pod-selector: ""
|
|
ingressClassName: "nginx"
|
|
host: "crowdsec.viktorbarzin.me"
|
|
tls:
|
|
- hosts:
|
|
- crowdsec.viktorbarzin.me
|
|
secretName: "tls-secret"
|
|
metrics:
|
|
enabled: true
|
|
strategy:
|
|
type: RollingUpdate
|
|
|
|
config:
|
|
# Custom profiles: captcha for rate limiting, ban for attacks
|
|
profiles.yaml: |
|
|
# Captcha for rate limiting and 403 abuse (user can unblock themselves)
|
|
name: captcha_remediation
|
|
filters:
|
|
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() in ["crowdsecurity/http-429-abuse", "crowdsecurity/http-403-abuse", "crowdsecurity/http-crawl-non_statics", "crowdsecurity/http-sensitive-files"]
|
|
decisions:
|
|
- type: captcha
|
|
duration: 4h
|
|
notifications:
|
|
- slack_alerts
|
|
on_success: break
|
|
---
|
|
# Default: Ban for serious attacks (CVE exploits, scanners, brute force)
|
|
name: default_ip_remediation
|
|
filters:
|
|
- Alert.Remediation == true && Alert.GetScope() == "Ip"
|
|
decisions:
|
|
- type: ban
|
|
duration: 4h
|
|
notifications:
|
|
- slack_alerts
|
|
on_success: break
|
|
---
|
|
name: default_range_remediation
|
|
filters:
|
|
- Alert.Remediation == true && Alert.GetScope() == "Range"
|
|
decisions:
|
|
- type: ban
|
|
duration: 4h
|
|
notifications:
|
|
- slack_alerts
|
|
on_success: break
|
|
|
|
config.yaml.local: |
|
|
db_config:
|
|
type: mysql
|
|
user: crowdsec
|
|
password: ${DB_PASSWORD}
|
|
db_name: crowdsec
|
|
host: mysql.dbaas.svc.cluster.local
|
|
port: 3306
|
|
api:
|
|
server:
|
|
auto_registration: # Activate if not using TLS for authentication
|
|
enabled: true
|
|
token: "$${REGISTRATION_TOKEN}" # /!\ do not change
|
|
allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
|
|
- "127.0.0.1/32"
|
|
- "192.168.0.0/16"
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
|
|
notifications:
|
|
slack.yaml: |
|
|
type: slack
|
|
name: slack_alerts
|
|
log_level: info
|
|
format: |
|
|
:rotating_light: *CrowdSec Alert*
|
|
{{range .}}
|
|
*Scenario:* {{.Alert.Scenario}}
|
|
*Source IP:* {{.Alert.Source.IP}} ({{.Alert.Source.Cn}})
|
|
*Decisions:*
|
|
{{range .Alert.Decisions}} - {{.Type}} for {{.Duration}} (scope: {{.Scope}}, value: {{.Value}})
|
|
{{end}}
|
|
{{end}}
|
|
webhook: ${SLACK_WEBHOOK_URL}
|