Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add appsec in crowdsec chart #189

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions charts/crowdsec/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,118 @@ lapi:
key: dbPassword
```

## Setup for AppSec (WAF) with Traefik bouncer as example

Below a basic configuration for AppSec (WAF)

```
# your-values.yaml (option 1)
appsec:
enabled: true
acquisitions:
- source: appsec
listen_addr: "0.0.0.0:7422"
path: /
appsec_config: crowdsecurity/virtual-patching
labels:
type: appsec
env:
- name: COLLECTIONS
value: "crowdsecurity/appsec-virtual-patching"

# This allows the LAPI pod to register and communicate with the appsec pod
he2ss marked this conversation as resolved.
Show resolved Hide resolved
config:
config.yaml.local: |
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
```

Or you can also use your own custom configurations and rules for AppSec:

```
# your-values.yaml (option 2)
appsec:
enabled: true
acquisitions:
- source: appsec
listen_addr: "0.0.0.0:7422"
path: /
appsec_config: crowdsecurity/crs-vpatch
labels:
type: appsec
configs:
mycustom-appsec-config.yaml: |
name: crowdsecurity/crs-vpatch
default_remediation: ban
#log_level: debug
outofband_rules:
- crowdsecurity/crs
inband_rules:
- crowdsecurity/base-config
- crowdsecurity/vpatch-*
env:
- name: COLLECTIONS
value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"

# This allows the LAPI pod to register and communicate with the appsec pod
config:
config.yaml.local: |
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
```

In the traefik `values.yaml`, you need to add the following configuration:

```
# traefik-values.yaml
experimental:
plugins:
crowdsec-bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.3.3
additionalArguments:
- "--entrypoints.web.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
- "--entrypoints.websecure.http.middlewares=<NAMESPACE>-crowdsec-bouncer@kubernetescrd"
- "--providers.kubernetescrd"
```

And then, you can apply this middleware to your traefik ingress:

```
# crowdsec-bouncer-middleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: crowdsec-bouncer
namespace: default
spec:
plugin:
crowdsec-bouncer:
enabled: true
crowdsecMode: appsec
crowdsecAppsecEnabled: true
crowdsecAppsecHost: crowdsec-appsec-service:7422
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec-service:8080
crowdsecLapiKey: "<YOUR_BOUNCER_KEY>"
```

## Values

| Key | Type | Default | Description |
Expand Down
35 changes: 35 additions & 0 deletions charts/crowdsec/ci/crowdsec-values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,15 @@
config:
config.yaml.local: |
api:
server:
auto_registration:
enabled: true
token: "${REGISTRATION_TOKEN}"
allowed_ranges:
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
agent:
additionalAcquisition:
- source: file
Expand Down Expand Up @@ -74,3 +86,26 @@ lapi:
share_manual_decisions: true
share_tainted: true
share_custom: true

appsec:
enabled: true
acquisitions:
- source: appsec
listen_addr: "0.0.0.0:7422"
path: /
appsec_config: crowdsecurity/crs-vpatch
labels:
type: appsec
configs:
mycustom-appsec-config.yaml: |
name: crowdsecurity/crs-vpatch
default_remediation: ban
#log_level: debug
outofband_rules:
- crowdsecurity/crs
inband_rules:
- crowdsecurity/base-config
- crowdsecurity/vpatch-*
env:
- name: COLLECTIONS
value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs"
5 changes: 5 additions & 0 deletions charts/crowdsec/templates/NOTES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ http://{{ .Values.lapi.ingress.host }}
http://{{ .Release.Name }}-service:8080
{{- end }}

{{- if .Values.appsec.enabled }}
## AppSec URL
http://{{ .Release.Name }}-appsec-service:7422
{{- end }}

{{ if .Values.lapi.dashboard.enabled }}
## Dashboard information

Expand Down
41 changes: 41 additions & 0 deletions charts/crowdsec/templates/appsec-configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# vim: set ft=gotmpl:
---

{{- if .Values.appsec.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: appsec-acquis-config
data:
acquis.yaml: |-
{{- range .Values.appsec.acquisitions }}
---
{{. | toYaml | nindent 4}}
{{- end }}
{{- end }}

---
{{- if .Values.appsec.configs }}
apiVersion: v1
kind: ConfigMap
metadata:
name: "crowdsec-appsec-configs"
data:
{{ range $fileName, $content := .Values.appsec.configs -}}
{{ printf "%s: |" $fileName | indent 2 }}
{{ $content | indent 4 }}
{{ end }}
{{- end }}

---
{{- if .Values.appsec.rules }}
apiVersion: v1
kind: ConfigMap
metadata:
name: "crowdsec-appsec-rules"
data:
{{ range $fileName, $content := .Values.appsec.rules -}}
{{ printf "%s: |" $fileName | indent 2 }}
{{ $content | indent 4 }}
{{ end }}
{{- end }}
Loading
Loading