No introduction found. Create it?
Install with:
helm repo add crowdsec https://crowdsecurity.github.io/helm-charts/
helm install crowdsec crowdsec/crowdsec -f values.yamlSee examples from other people.
| Name | Repo | Stars | Version | Timestamp |
|---|---|---|---|---|
| crowdsec | pascaliske/infrastructure | 73 | 0.24.0 | 14 days ago |
| crowdsec | xunholy/k8s-gitops | 634 | 0.24.0 | a month ago |
See the most popular values for this chart:
| Key | Types |
|---|---|
container_runtime (7) containerd | string |
| boolean | |
| boolean | |
lapi.env[].name (6) DISABLE_ONLINE_API | string |
lapi.env[].value (6) false | string |
| string | |
lapi.env[].valueFrom.secretKeyRef.name (3) crowdsec-secret | string |
| boolean | |
| boolean | |
lapi.dashboard.ingress.host (3) crowdsec.${DOMAIN_0} | string |
| string | |
| string | |
| string | |
| string | |
| string | |
lapi.dashboard.ingress.annotations."traefik.ingress.kubernetes.io/router.middlewares" (2) traefik-chain-basic@kubernetescrd,traefik-bouncer@kubernetescrd,traefik-local@kubernetescrd | string |
| string | |
| string | |
lapi.dashboard.ingress.tls[].hosts[] (1) - crowdsec-dashboard.internal.${SECRET_DOMAIN} | string |
| boolean | |
lapi.persistentVolume.config.accessModes[] (2) - ReadWriteOnce | string |
| string | |
lapi.persistentVolume.config.existingClaim (1) crowdsec-config-pvc | string |
| string | |
| boolean | |
lapi.persistentVolume.data.accessModes[] (2) - ReadWriteOnce | string |
| string | |
lapi.persistentVolume.data.existingClaim (1) crowdsec-db-pvc | string |
| string | |
| boolean | |
lapi.ingress.host (1) crowdsec.internal.${SECRET_DOMAIN} | string |
| string | |
lapi.ingress.tls[].hosts[] (1) - crowdsec.internal.${SECRET_DOMAIN} | string |
| string | |
| string | |
| string | |
| string | |
| string | |
| string | |
lapi.enabled (1) true | boolean |
lapi.extraVolumeMounts[].mountPath (1) /etc/crowdsec_data/notifications/http.yaml | string |
lapi.extraVolumeMounts[].name (1) http-config | string |
| boolean | |
lapi.extraVolumes[].hostPath.path (1) /home/elraro/home-ops/volumes/crowdsec/http.yaml | string |
lapi.extraVolumes[].name (1) http-config | string |
lapi.podSecurityContext.seccompProfile.type (1) RuntimeDefault | string |
| number | |
lapi.service.type (1) ClusterIP | string |
| boolean | |
| boolean | |
| string | |
agent.acquisition[].podName (6) traefik-* | string |
| string | |
| boolean | |
| boolean | |
agent.env[].name (5) PARSERS | string |
agent.env[].value (5) crowdsecurity/cri-logs | string |
| string | |
| string | |
agent.additionalAcquisition[].filenames[] (1) - /nextcloud.log | string |
| string | |
| number | |
agent.enabled (2) false | boolean |
| boolean | |
agent.extraVolumeMounts[].mountPath (1) /nextcloud.log | string |
agent.extraVolumeMounts[].name (1) nextcloud-log | string |
agent.extraVolumeMounts[].readOnly (1) true | boolean |
agent.extraVolumes[].hostPath.path (1) /mnt/sdc1/nextcloud/data/nextcloud.log | string |
agent.extraVolumes[].name (1) nextcloud-log | string |
| boolean | |
| boolean | |
agent.persistentVolume.config.existingClaim (1) crowdsec-agent-config-pvc | string |
agent.podSecurityContext.seccompProfile.type (1) RuntimeDefault | string |
| number | |
agent.ports[].name (1) syslog | string |
| string | |
| string | |
| string | |
| string | |
| string | |
agent.service.loadBalancerClass (1) io.cilium/l2-announcer | string |
agent.service.loadBalancerIP (1) ${crowdsec_syslog_ip} | string |
| string | |
| number | |
| string | |
| number | |
agent.service.type (1) LoadBalancer | string |
agent.tolerations[].effect (1) NoSchedule | string |
agent.tolerations[].key (1) node-role.kubernetes.io/control-plane | string |
| string | |
tls.enabled (4) true | boolean |
| string | |
| boolean | |
| boolean | |
config."config.yaml.local" (2) db_config:
type: postgresql
user: crowdsec
password: ${DB_PASSWORD}
db_name: crowdsec
host: crowdsec-pg-rw.crowdsec.svc.cluster.local
port: 5432
sslmode: require
api:
server:
auto_registration:
enabled: true
token: ${REGISTRATION_TOKEN}
allowed_ranges:
- "127.0.0.1/32"
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
| string |
config."profiles.yaml" (2) # Test-only profile: fires on the hub's http-generic-test scenario so
# we can validate the notification pipeline without triggering a real
# ban. `on_success: continue` keeps the remediation profiles below in
# play. Safe to leave (test scenario only matches a magic path) but
# can be removed once the Discord wiring is confirmed.
name: notify_test
filters:
- Alert.Scenario == "crowdsecurity/http-generic-test"
notifications:
- discord
on_success: continue
---
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- http_alertmanager
- discord
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 4h
notifications:
- http_alertmanager
- discord
on_success: break
| string |
config."console.yaml" (1) share_manual_decisions: true
share_custom: true
share_tainted: true
share_context: true
| string |
config.notifications."discord.yaml" (1) type: http
name: discord
log_level: info
group_wait: 5s
group_threshold: 1
# Taunts only fire when .Decisions is non-empty (actual remediation,
# not informational alerts like crowdsecurity/http-generic-test).
# Index is seconds-of-minute mod list length: cheap rotation without
# needing a stable random seed across alerts.
format: |
{{- $taunts := list
"L Bozo."
"I can't let you do that Dave."
"Skill issue."
"Press S to Spit"
"WASTED"
"L + ratio + IP banned."
"360 noscoped."
"Get rekt."
"Scrape these."
"Get bezongled"
"Hasta La Vista, Baby"
"Yeeted into the void."
"Thanks for playing. Try again in 4 hours."
"Sorry, your vulnerable box is in another castle"
"lmao no"
-}}
{{- $idx := mod (now | date "05" | atoi) (len $taunts) -}}
{{ range . -}}
{
"username": "CrowdSec",
"embeds": [
{
"title": "{{ if .Decisions }}Intruder Locked Out{{ else }}CrowdSec alert{{ end }}",
{{- if .Decisions }}
"description": "{{ index $taunts $idx }}",
{{- end }}
"color": 15158332,
"fields": [
{"name": "Scenario", "value": "`{{ .Scenario }}`", "inline": false},
{"name": "Source", "value": "`{{ .Source.Value }}`", "inline": true},
{"name": "Scope", "value": "`{{ .Source.Scope }}`", "inline": true},
{{- if .Decisions }}
{"name": "Action", "value": "`{{ (index .Decisions 0).Type }}` for `{{ (index .Decisions 0).Duration }}`", "inline": false},
{"name": "Origin", "value": "`{{ (index .Decisions 0).Origin }}`", "inline": true},
{{- end }}
{"name": "Events", "value": "{{ .EventsCount }}", "inline": true}
]
}
]
}
{{ end }}
url: ${DISCORD_WEBHOOK_URL}
method: POST
headers:
Content-Type: application/json
| string |
config.notifications."http.yaml" (1) type: http
name: http_alertmanager
log_level: info
format: |
[
{{ range . -}}
{
"labels": {
"alertname": "CrowdSecDecision",
"source": "crowdsec",
"scenario": "{{ (index .Decisions 0).Scenario }}",
"ip": "{{ (index .Decisions 0).Value }}",
"scope": "{{ (index .Decisions 0).Scope }}",
"type": "{{ (index .Decisions 0).Type }}",
"severity": "warning"
},
"annotations": {
"summary": "{{ .Scenario }} triggered for {{ (index .Decisions 0).Value }}",
"duration": "{{ (index .Decisions 0).Duration }}"
}
}{{ if not (last) }},{{ end }}
{{ end }}
]
url: http://kube-prometheus-stack-alertmanager.monitoring.svc.cluster.local:9093/api/v2/alerts
method: POST
headers:
Content-Type: application/json
| string |
config.parsers.s01-parse."istio-envoy.yaml" (1) filter: "evt.Parsed.program == 'istio-ingress' && evt.Parsed.message startsWith '{'"
onsuccess: next_stage
name: custom/istio-envoy
description: "Parse Istio ingressgateway JSON access logs"
# evt.Parsed.message is the raw JSON envoy access log line; we can
# JsonExtract directly from it without a grok step. A grok like
# %{DATA:json_log} would *not* work here: DATA is lazy and matches
# zero chars at position 0, leaving json_log empty.
#
# Fields required downstream:
# meta.service=http and meta.log_type -> http-logs s02 filter
# parsed.request (path with query) -> http-logs grok -> file_name/static_ressource/http_args
# parsed.verb, parsed.target_fqdn -> http-* scenario filters and groupby
statics:
- meta: log_type
value: http_access-log
- meta: service
value: http
- parsed: program
value: istio
- meta: source_ip
expression: 'JsonExtract(evt.Parsed.message, "downstream_remote_address")'
- meta: http_status
expression: 'JsonExtract(evt.Parsed.message, "response_code")'
- meta: http_path
expression: 'JsonExtract(evt.Parsed.message, "path")'
- meta: http_verb
expression: 'JsonExtract(evt.Parsed.message, "method")'
- meta: http_user_agent
expression: 'JsonExtract(evt.Parsed.message, "user_agent")'
- parsed: verb
expression: 'JsonExtract(evt.Parsed.message, "method")'
- parsed: request
expression: 'JsonExtract(evt.Parsed.message, "path")'
- parsed: target_fqdn
expression: 'JsonExtract(evt.Parsed.message, "authority")'
- parsed: http_user_agent
expression: 'JsonExtract(evt.Parsed.message, "user_agent")' | string |
config.scenarios."http-istio-test.yaml" (1) type: trigger
name: custom/http-istio-test
description: "Custom HTTP test trigger for the Istio acquisition chain"
filter: |
evt.Meta.log_type in ["http_access-log", "http_error-log"] and evt.Meta.http_path == "/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl"
blackhole: 5m
groupby: "evt.Meta.source_ip"
labels:
confidence: 0
spoofable: 3
behavior: "http:test"
label: "CrowdSec Generic Test Scenario"
service: http
remediation: false | string |
image.pullPolicy (2) IfNotPresent | string |
image.repository (2) ghcr.io/crowdsecurity/crowdsec | string |
image.tag (2) v1.7.8 | string |
appsec.enabled (1) false | boolean |
| boolean | |
reflector.env[].name (1) OPNSENSE_URL | string |
reflector.env[].value (1) https://opnsense.${SECRET_DOMAIN} | string |
reflector.env[].valueFrom.secretKeyRef.key (1) opnsense-api-key | string |
reflector.env[].valueFrom.secretKeyRef.name (1) crowdsec-secret | string |
secrets.externalSecret.csLapiSecretKey (1) csLapiSecret | string |
secrets.externalSecret.name (1) crowdsec-lapi-shared | string |
secrets.externalSecret.registrationTokenKey (1) registrationToken | string |