No introduction found. Create it?
Install with:
helm repo add crowdsec oci://ghcr.io/crowdsecurity/helm-charts/crowdsec
helm install crowdsec crowdsec/crowdsec -f values.yamlSee examples from other people.
| Name | Repo | Stars | Version | Timestamp |
|---|---|---|---|---|
| crowdsec | ToaHartor/maisonneux | 43 | 0.20.1 | 3 months ago |
See the most popular values for this chart:
| Key | Types |
|---|---|
container_runtime (6) containerd | string |
config."config.yaml.local" (5) api:
server:
auto_registration:
enabled: true
token: ${REGISTRATION_TOKEN}
allowed_ranges:
- 10.42.0.0/16
db_config:
type: postgresql
user: ${DB_USERNAME}
password: ${DB_PASSWORD}
db_name: ${DB_NAME}
host: ${DB_HOST}
port: 5432 | string |
config."profiles.yaml" (3) name: default_ip_remediation
debug: false
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 24h
on_success: break | string |
config."agent_config.yaml.local" (2) api:
client:
unregister_on_exit: true | string |
config."appsec_config.yaml.local" (2) api:
client:
unregister_on_exit: true | string |
config."console.yaml" (2) share_manual_decisions: false
share_custom: true
share_tainted: true
share_context: true
| string |
config.parsers.s01-parse."envoy-logs.yaml" (2) filter: "evt.Parsed.program startsWith 'envoy' && evt.Parsed.message contains ':authority'"
onsuccess: next_stage
name: hydaz/envoy-logs
description: "Parse Envoy access logs to match nginx parser outputs"
statics:
- parsed: json
expression: UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "envoy")
- parsed: time_local
expression: evt.Unmarshaled.envoy["start_time"]
- parsed: remote_addr
expression: Split(evt.Unmarshaled.envoy["x-forwarded-for"], ",")[0]
- parsed: verb
expression: evt.Unmarshaled.envoy["method"]
- parsed: request
expression: evt.Unmarshaled.envoy["x-envoy-origin-path"]
- parsed: http_version
expression: TrimPrefix(evt.Unmarshaled.envoy["protocol"], "HTTP/")
- parsed: status
expression: Sprintf('%.0f', evt.Unmarshaled.envoy["response_code"])
- parsed: body_bytes_sent
expression: Sprintf('%.0f', evt.Unmarshaled.envoy["bytes_sent"])
- parsed: http_user_agent
expression: evt.Unmarshaled.envoy["user-agent"]
- parsed: target_fqdn
expression: evt.Unmarshaled.envoy[":authority"]
- meta: service
value: http
- meta: log_type
value: http_access-log
- meta: source_ip
expression: evt.Parsed.remote_addr
- meta: http_status
expression: evt.Parsed.status
- meta: http_path
expression: evt.Parsed.request
- meta: http_verb
expression: evt.Parsed.verb
- meta: http_user_agent
expression: evt.Parsed.http_user_agent
- meta: target_fqdn
expression: evt.Parsed.target_fqdn | string |
config.parsers.s02-enrich."envoy-418-whitelist.yaml" (2) name: hydaz/envoy-418-whitelist
description: "Whitelist 418 responses from the envoy bouncer to prevent processing already banned IPs"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type == 'http_access-log'"
whitelist:
reason: "envoy bouncer response to already banned ips"
expression:
- "evt.Meta.http_status == '418'" | string |
config.parsers.s02-enrich."wordpress-api-whitelist.yaml" (1) name: hydaz/wordpress-api-whitelist
description: "Whitelist legitimate WordPress API calls"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type == 'http_access-log'"
whitelist:
reason: "legitimate wordpress api call"
expression:
- "evt.Meta.http_path contains '/wp-json/wp/v2/posts' && evt.Meta.http_path contains 'context=edit' && evt.Meta.http_status == '200'" | string |
config.notifications."http.yaml" (1) type: http
name: http_victorialogs
log_level: info
# JSON Lines 格式要求每条记录必须是单行
# 字段说明:
# _msg: 消息内容, _time: 时间戳(毫秒), instance: 实例名
# country: 国家, asname: AS名称, asnumber: AS号
# latitude/longitude: 经纬度, iprange: IP范围
# scenario: 场景, type: 类型, duration: 时长, scope: 范围, ip: IP地址
format: |
{{- range $Alert := . -}}
{{- range .Decisions }}
{"_msg":"CrowdSec Decision: {{.Scenario}}","_time":"{{now | unixEpoch}}000","instance":"k8s","country":{{$Alert.Source.Cn | toJson}},"asname":{{$Alert.Source.AsName | toJson}},"asnumber":"{{$Alert.Source.AsNumber}}","latitude":"{{$Alert.Source.Latitude}}","longitude":"{{$Alert.Source.Longitude}}","iprange":{{$Alert.Source.Range | toJson}},"scenario":{{.Scenario | toJson}},"type":{{.Type | toJson}},"duration":{{.Duration | toJson}},"scope":{{.Scope | toJson}},"ip":{{.Value | toJson}}}
{{- end }}
{{- end -}}
url: http://victoria-logs-server.observability.svc.cluster.local:9428/insert/jsonline?_stream_fields=instance,scenario
method: POST
headers:
Content-Type: application/stream+json
| string |
config.notifications."wecom.yaml" (1) type: http
name: http_wecom
log_level: info
format: |
{{- range $Alert := . -}}
{{- range .Decisions }}
{
"msgtype": "markdown",
"markdown": {
"content": "🚨 **CrowdSec 安全告警**\n> **场景**: {{ .Scenario }}\n> **IP**: {{ .Value }}\n> **国家**: {{ $Alert.Source.Cn }}\n> **ASN**: {{ $Alert.Source.AsName }} ({{ $Alert.Source.AsNumber }})\n> **封禁时长**: {{ .Duration }}\n> **类型**: {{ .Type }}"
}
}
{{- end }}
{{- end -}}
url: https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=${WECOM_BOT_TOKEN}
method: POST
headers:
Content-Type: application/json
| string |
config.postoverflows.s01-whitelist."01-whitelist-home.yaml" (1) name: crowdsec/whitelist-home
description: "Whitelist home IP ranges"
whitelist:
reason: "Home networks"
cidr:
- "10.0.0.0/16"
- "172.16.0.0/12" | string |
lapi.env[].name (5) TZ | string |
lapi.env[].value (4) ${TIMEZONE} | string |
lapi.env[].valueFrom.secretKeyRef.key (2) csLapiSecret | string |
lapi.env[].valueFrom.secretKeyRef.name (2) crowdsec-lapi-secrets | string |
| boolean | |
| boolean | |
| boolean | |
lapi.persistentVolume.config.accessModes[] (1) - ReadWriteOnce | string |
| string | |
| string | |
| string | |
| boolean | |
lapi.persistentVolume.data.accessModes[] (1) - ReadWriteOnce | string |
lapi.persistentVolume.data.existingClaim (1) crowdsec-data | string |
| string | |
lapi.envFrom[].secretRef.name (3) crowdsec-secret | string |
lapi.strategy.type (3) RollingUpdate | string |
| number | |
| string | |
| string | |
| string | |
| string | |
lapi.service.type (2) LoadBalancer | string |
| string | |
| boolean | |
| boolean | |
| string | |
lapi.deployAnnotations."secret.reloader.stakater.com/reload" (1) ${SECRET_KEY_NAME},${APP}-db-creds | string |
lapi.extraInitContainers[].envFrom[].secretRef.name (1) crowdsec-init-db-secret | string |
lapi.extraInitContainers[].image (1) ghcr.io/home-operations/postgres-init:18@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf | string |
| string | |
lapi.podLabels."app.kubernetes.io/name" (1) crowdsec-lapi | string |
| boolean | |
| string | |
| string | |
| string | |
| boolean | |
agent.env[].name (4) COLLECTIONS | string |
agent.env[].value (4) crowdsecurity/base-http-scenarios crowdsecurity/http-cve | string |
| boolean | |
| boolean | |
| boolean | |
| string | |
| string | |
| number | |
| string | |
agent.hostVarLog (1) false | boolean |
| boolean | |
| boolean | |
| number | |
| string | |
| string | |
| string | |
| string | |
| string | |
| number | |
| string | |
| number | |
agent.service.type (1) LoadBalancer | string |
agent.strategy.type (1) RollingUpdate | string |
| boolean | |
appsec.acquisitions[].appsec_config (2) crowdsecurity/appsec-default | string |
| string | |
appsec.acquisitions[].listen_addr (2) 0.0.0.0:7422 | string |
| string | |
| string | |
appsec.env[].name (2) COLLECTIONS | string |
appsec.env[].value (2) crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs crowdsecurity/appsec-generic-rules | string |
appsec.strategy.type (2) RollingUpdate | string |
| boolean | |
| boolean | |
| number | |
| string | |
| string | |
| string | |
appsec.service.type (1) ClusterIP | string |
| string | |
deploymentAnnotations."secret.reloader.stakater.com/reload" (1) ${SECRET_KEY_NAME},${APP}-db-creds | string |
image.pullPolicy (1) IfNotPresent | string |
image.repository (1) ghcr.io/crowdsecurity/crowdsec | string |
image.tag (1) v1.7.6@sha256:63b595fef92de1778573b375897a45dd226637ee9a3d3db9f57ac7355c369493 | string |
| string | |
secrets.externalSecret.csLapiSecretKey (1) CROWDSEC_LAPI_SECRET | string |
secrets.externalSecret.name (1) crowdsec-secret | string |
secrets.externalSecret.registrationTokenKey (1) REGISTRATION_TOKEN | string |
tls.enabled (1) false | boolean |