-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathvalues.yaml
452 lines (412 loc) · 13.5 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
# Default values for crowdsec-chart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- for raw logs format: json or cri (docker|containerd)
crowdsec:
container_runtime: containerd
image:
# -- docker image repository name
repository: crowdsecurity/crowdsec
# -- pullPolicy
pullPolicy: IfNotPresent
# -- pullSecrets
pullSecrets:
[]
# - name: ""
# -- docker image tag
tag: "v1.6.4"
# -- Annotations to be added to pods
podAnnotations: {}
# -- Labels to be added to pods
podLabels: {}
# Here you can specify your own custom configuration to be loaded in crowdsec agent or lapi
# Each config needs to be a multi-line using '|' in YAML specs
# for the agent those configs will be loaded : parsers, scenarios, postoverflows, simulation.yaml
# for the lapi those configs will be loaded : profiles.yaml, notifications, console.yaml
config:
# -- To better understand stages in parsers, you can take a look at https://docs.crowdsec.net/docs/next/parsers/intro/
parsers:
s00-raw: {}
s01-parse:
{}
# example-parser.yaml: |
# filter: "evt.Line.Labels.type == 'myProgram'"
# onsuccess: next_stage
# ....
s02-enrich: {}
# -- to better understand how to write a scenario, you can take a look at https://docs.crowdsec.net/docs/next/scenarios/intro
scenarios:
{}
# myScenario.yaml: |
# type: trigger
# name: myName/MyScenario
# description: "Detect bruteforce on myService"
# filter: "evt.Meta.log_type == 'auth_bf_log'"
# ...
# -- to better understand how to write a postoverflow, you can take a look at (https://docs.crowdsec.net/docs/next/whitelist/create/#whitelist-in-postoverflows)
postoverflows:
s00-enrich:
{}
# rdnsEnricher.yaml: |
# ...
s01-whitelist:
{}
# myRdnsWhitelist.yaml: |
# ...
# -- Simulation configuration (https://docs.crowdsec.net/docs/next/scenarios/simulation/)
simulation.yaml:
""
# |
# simulation: false
# exclusions:
# - crowdsecurity/ssh-bf
console.yaml:
""
# |
# share_manual_decisions: true
# share_tainted: true
# share_custom: true
capi_whitelists.yaml:
""
# |
# ips:
# - 1.2.3.4
# - 2.3.4.5
# cidrs:
# - 1.2.3.0/24
# -- Profiles configuration (https://docs.crowdsec.net/docs/next/profiles/format/#profile-configuration-example)
profiles.yaml: |
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)"
on_success: break
# -- General configuration (https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#configuration-example)
config.yaml.local:
""
# |
# db_config:
# type: postgresql
# user: crowdsec
# password: ${DB_PASSWORD}
# db_name: crowdsec
# host: 192.168.0.2
# port: 5432
# sslmode: require
# -- notifications configuration (https://docs.crowdsec.net/docs/next/notification_plugins/intro)
notifications:
{}
# email.yaml: |
# type: email
# name: email_default
# One of "trace", "debug", "info", "warn", "error", "off"
# log_level: info
# ...
# slack.yaml: ""
# http.yaml: ""
# splunk.yaml: ""
tls:
enabled: false
caBundle: true
insecureSkipVerify: true
certManager:
enabled: true
# -- Use existing issuer to sign certificates. Leave empty to generate a self-signed issuer
issuerRef:
name: "selfsigned"
kind: "ClusterIssuer"
# -- Add annotations and/or labels to generated secret
secretTemplate:
annotations: {}
labels: {}
# -- duration for Certificate resources
duration: 2160h # 90d
# -- renewBefore for Certificate resources
renewBefore: 720h # 30d
bouncer:
secret: "{{ .Release.Name }}-bouncer-tls"
reflector:
namespaces: []
agent:
tlsClientAuth: true
secret: "{{ .Release.Name }}-agent-tls"
reflector:
namespaces: []
lapi:
secret: "{{ .Release.Name }}-lapi-tls"
# If you want to specify secrets that will be used for all your crowdsec-agents
# secrets can be provided as env variables
secrets:
# -- agent username (default is generated randomly)
username: ""
# -- agent password (default is generated randomly)
password: ""
# lapi will deploy pod with crowdsec lapi and dashboard as deployment
lapi:
# -- replicas for local API
replicas: 1
# -- environment variables from crowdsecurity/crowdsec docker image
env:
- name: ENROLL_INSTANCE_NAME
value: "homelab"
- name: ENROLL_TAGS
value: "k8s linux k0s homelab"
# Allows you to load environment variables from kubernetes secret or config map
envFrom:
- secretRef:
name: lapi-credentials
# - configMapRef:
# name: config-map
# -- Enable ingress lapi object
ingress:
enabled: false
annotations:
# we only want http to the backend so we need this annotation
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# labels: {}
ingressClassName: "" # nginx
host: "" # crowdsec-api.example.com
# tls: {}
# -- pod priority class name
priorityClassName: ""
# -- Annotations to be added to lapi deployment
deployAnnotations: {}
# -- Annotations to be added to lapi pods, if global podAnnotations are not set
podAnnotations: {}
# -- Labels to be added to lapi pods, if global podLabels are not set
podLabels: {}
# -- Extra init containers to be added to lapi pods
extraInitContainers: []
# -- Extra volumes to be added to lapi pods
extraVolumes: []
# -- Extra volumeMounts to be added to lapi pods
extraVolumeMounts: []
# -- resources for lapi
resources:
limits:
memory: 500Mi
cpu: 500m
requests:
cpu: 500m
memory: 500Mi
dashboard:
# -- Enable Metabase Dashboard (by default disabled)
enabled: false
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
data:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: ""
existingClaim: ""
size: 1Gi
# -- Persistent volume for config folder. Stores e.g. online api credentials
config:
enabled: true
accessModes:
- ReadWriteOnce
storageClassName: ""
existingClaim: ""
size: 100Mi
service:
type: ClusterIP
labels: {}
annotations: {}
externalIPs: []
loadBalancerIP: null
loadBalancerClass: null
externalTrafficPolicy: Cluster
# -- nodeSelector for lapi
nodeSelector: {}
# -- tolerations for lapi
tolerations: []
# -- dnsConfig for lapi
dnsConfig: {}
# -- affinity for lapi
affinity: {}
# -- topologySpreadConstraints for lapi
topologySpreadConstraints: []
# -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
metrics:
enabled: false
# -- Creates a ServiceMonitor so Prometheus will monitor this service
# -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
# -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
# -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
serviceMonitor:
enabled: false
additionalLabels: {}
strategy:
type: Recreate
secrets:
# -- Shared LAPI secret. Will be generated randomly if not specified. Size must be > 64 characters
csLapiSecret: ""
# -- Any extra secrets you may need (for example, external DB password)
extraSecrets:
{}
# dbPassword: randomPass
lifecycle:
{}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
# postStart:
# exec:
# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
# agent will deploy pod on every node as daemonSet to read wanted pods logs
agent:
# -- To add custom acquisitions using available datasources (https://docs.crowdsec.net/docs/next/data_sources/intro)
additionalAcquisition:
[]
# - source: kinesis
# stream_name: my-stream
# labels:
# type: mytype
# - source: syslog
# listen_addr: 127.0.0.1
# listen_port: 4242
# labels:
# type: syslog
acquisition:
# -- Specify each pod you want to process it logs (namespace, podName and program)
- namespace: ingress-nginx
# -- to select pod logs to process
podName: ingress-nginx-controller-*
# -- program name related to specific parser you will use (see https://hub.crowdsec.net/author/crowdsecurity/configurations/docker-logs)
program: nginx
# -- If set to true, will poll the files using os.Stat instead of using inotify
poll_without_inotify: false
# -- pod priority class name
priorityClassName: ""
# -- Annotations to be added to agent daemonset
daemonsetAnnotations: {}
# -- Annotations to be added to agent pods, if global podAnnotations are not set
podAnnotations: {}
# -- Labels to be added to agent pods, if global podLabels are not set
podLabels: {}
# -- Extra init containers to be added to agent pods
extraInitContainers: []
# -- Extra volumes to be added to agent pods
extraVolumes: []
# -- Extra volumeMounts to be added to agent pods
extraVolumeMounts: []
resources:
limits:
memory: 250Mi
cpu: 500m
requests:
cpu: 500m
memory: 250Mi
# -- Enable persistent volumes
persistentVolume:
# -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
config:
enabled: false
accessModes:
- ReadWriteOnce
storageClassName: ""
existingClaim: ""
size: 100Mi
# -- Enable hostPath to /var/log
hostVarLog: true
# -- environment variables from crowdsecurity/crowdsec docker image
env:
- name: COLLECTIONS
value: "crowdsecurity/nginx"
# by default we configure the docker-logs parser to be able to parse docker logs in k8s
# by default we disable local API on the agent pod
# - name: SCENARIOS
# value: "scenario/name otherScenario/name"
# - name: PARSERS
# value: "parser/name otherParser/name"
# - name: POSTOVERFLOWS
# value: "postoverflow/name otherPostoverflow/name"
# - name: CONFIG_FILE
# value: "/etc/crowdsec/config.yaml"
# - name: DSN
# value: "file:///var/log/toto.log"
# - name: TYPE
# value: "Labels.type_for_time-machine_mode"
# - name: TEST_MODE
# value: "false"
# - name: TZ
# value: ""
# - name: DISABLE_AGENT
# value: "false"
# - name: DISABLE_ONLINE_API
# value: "false"
# - name: LEVEL_TRACE
# value: "false"
# - name: LEVEL_DEBUG
# value: "false"
# - name: LEVEL_INFO
# value: "false"
# -- nodeSelector for agent
nodeSelector: {}
# -- tolerations for agent
tolerations: []
# -- affinity for agent
affinity: {}
# -- livenessProbe for agent
livenessProbe:
httpGet:
path: /metrics
port: metrics
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
failureThreshold: 3
# -- readinessProbe for agent
readinessProbe:
httpGet:
path: /metrics
port: metrics
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
failureThreshold: 3
# -- startupProbe for agent
startupProbe:
httpGet:
path: /metrics
port: metrics
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
failureThreshold: 30
# -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
metrics:
enabled: true
# -- Creates a ServiceMonitor so Prometheus will monitor this service
# -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
# -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
# -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
serviceMonitor:
enabled: false
additionalLabels: {}
service:
type: ClusterIP
labels: {}
annotations: {}
externalIPs: []
loadBalancerIP: null
loadBalancerClass: null
externalTrafficPolicy: Cluster
# -- wait-for-lapi init container
wait_for_lapi:
image:
# -- docker image repository name
repository: busybox
# -- pullPolicy
pullPolicy: IfNotPresent
# -- docker image tag
tag: "1.37"
#service: {}