Kubernetes Deployment
Before getting started, it is advised to read the introduction page to understand the prerequisites and concepts for running CrowdSec.
Requirements
Helm Repository Installation
Add the CrowdSec helm repository to your Helm installation:
helm repo add crowdsec https://crowdsecurity.github.io/helm-charts
helm repo update
Install Security Engine
Once the helm repository is added, first you need to write your crowdsec-values.yaml file. You can use the following example:
# for raw logs format: json or cri (docker|containerd)
container_runtime: containerd
agent:
# Specify each pod whose logs you want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
env:
- name: COLLECTIONS
value: "crowdsecurity/traefik"
lapi:
env:
# To enroll the Security Engine to the console
- name: ENROLL_KEY
value: "<enroll-key>"
- name: ENROLL_INSTANCE_NAME
value: "my-k8s-cluster"
- name: ENROLL_TAGS
value: "k8s linux test"
If you want more information about the configuration, you can check the default values.yaml
Then, you can install the Security Engine with the following command:
# Create a namespace for crowdsec
kubectl create ns crowdsec
# Install the helm chart
helm install crowdsec crowdsec/crowdsec -n crowdsec -f crowdsec-values.yaml
Check the installation status:
kubectl -n crowdsec get pods
NAME READY STATUS RESTARTS AGE
crowdsec-agent-kf9fr 1/1 Running 0 34s
crowdsec-lapi-777c469947-jbk9q 1/1 Running 0 34s
Install Remediation Component
First you need to already have an ingress controller installed in your cluster (we consider that you installed it using helm).
For now, we support:
- Traefik
- Nginx
Before installing the remediation component, you need to generate API key to communicate with the LAPI.
Then, you can install the remediation component with the following command:
Traefik
Traefik expects a resource of "Middleware" type named "bouncer", which we will create now.
Here is bouncer-middleware.yaml:
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
bouncer:
enabled: true
crowdsecMode: stream
crowdsecLapiScheme: https
crowdsecLapiHost: crowdsec-service.crowdsec:8080
crowdsecLapiKey: mysecretkey12345
You can see all the configuration options in the bouncer documentation.
Now, you can install the remediation component:
kubectl apply -f bouncer-middleware.yaml
Nginx
We need to patch ingress-nginx helm chart to add and enable the crowdsec lua plugin.
You can put this configuration example in a file crowdsec-ingress-nginx.yaml:
controller:
extraVolumes:
- name: crowdsec-bouncer-plugin
emptyDir: {}
extraInitContainers:
- name: init-clone-crowdsec-bouncer
image: crowdsecurity/lua-bouncer-plugin
imagePullPolicy: IfNotPresent
env:
- name: API_URL
value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
- name: API_KEY
value: "mysecretkey12345"
- name: BOUNCER_CONFIG
value: "/crowdsec/crowdsec-bouncer.conf"
command: ['sh', '-c', "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
volumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /lua_plugins
extraVolumeMounts:
- name: crowdsec-bouncer-plugin
mountPath: /etc/nginx/lua/plugins/crowdsec
subPath: crowdsec
config:
plugins: "crowdsec"
lua-shared-dicts: "crowdsec_cache: 50m"
Once we have this patch we can upgrade the ingress-nginx chart
helm -n ingress-nginx upgrade -f ingress-nginx-values.yaml -f crowdsec-ingress-bouncer.yaml ingress-nginx ingress-nginx/ingress-nginx
Next Steps?
Great, you now have CrowdSec installed on your system. Within the post installation steps you will find the next steps to configure and optimize your installation.
