This project deploys the CrowdSec Firewall Bouncer as a DaemonSet within a Kubernetes cluster. It's designed to dynamically apply IP-based blocking rules based on decisions from a CrowdSec instance, enhancing the security posture of your cluster's nodes.
- Kubernetes cluster
- kubectl configured to communicate with your cluster
- Helm 3 installed
- CrowdSec installed and configured (https://github.com/crowdsecurity/helm-charts/tree/main)
The DaemonSet requires API keys to interact with the CrowdSec service. You must provide these keys in a Kubernetes secret. The keys can be generated with the following command:
cscli bouncers add worker-1An example apikeys.yaml for your Kubernetes Secret might look like:
worker-1: <KEY>
worker-2: <KEY>
...It is important, that the bouncer names match the hostnames of the nodes in your Kubernetes cluster. Each pod will look for the API key corresponding to its hostname in the secret.
First, add the crowdsec-firewall-bouncer-daemonset Helm repository:
helm repo add crowdsec-firewall-bouncer-daemonset https://l3montree-dev.github.io/crowdsec-firewall-bouncer-daemonsetUse the helm upgrade --install command to deploy or update the CrowdSec Firewall Bouncer DaemonSet. You'll need to specify the values.yaml file that contains your configuration overrides:
helm upgrade --install -f values.yaml --namespace crowdsec crowdsec-firewall-bouncer crowdsec-firewall-bouncer-daemonset/crowdsec-firewall-bouncer-daemonsetEnsure you've created the crowdsec namespace beforehand or specify a different namespace that exists in your cluster.