Reorganized for new stable/waypoint versioning design.

2026-05-24 18:28:47 +00:00
parent 945d2225a2
commit bc7a168851
352 changed files with 1264 additions and 294 deletions
--- a/crowdsec/versions/v1/README.md
+++ b/crowdsec/versions/v1/README.md
@@ -0,0 +1,118 @@
+# CrowdSec Security Service
+
+CrowdSec is an open-source security engine that analyzes traffic patterns and blocks malicious actors. This service integrates CrowdSec with Traefik to provide automatic threat detection and rate limiting for all Wild Cloud ingresses.
+
+## Components
+
+- **CrowdSec Agent**: Analyzes traffic patterns, maintains decision lists, and connects to the CrowdSec threat intelligence network
+- **Traefik Bouncer**: Integrates with Traefik via ForwardAuth to enforce CrowdSec decisions
+- **Security Middlewares**: Traefik middleware for rate limiting and security headers
+
+## Default Protection
+
+After installation, **all ingresses are automatically protected** with:
+- Threat detection (blocks known malicious IPs and attack patterns)
+- Rate limiting (100 requests per minute per IP)
+- Security headers (HSTS, XSS protection, content-type sniffing prevention)
+
+## Configuration
+
+Configuration is stored in `config.yaml` under `apps.crowdsec`:
+
+```yaml
+apps:
+  crowdsec:
+    rateLimitAverage: "100"
+    rateLimitBurst: "100"
+```
+
+## Secrets
+
+Secrets are stored in `secrets.yaml` under `apps.crowdsec`:
+
+```yaml
+apps:
+  crowdsec:
+    agentPassword: <auto-generated>
+    bouncerApiKey: <auto-generated>
+```
+
+## Opting Out
+
+To disable CrowdSec protection for a specific ingress (e.g., webhooks, health checks):
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: ""
+```
+
+## Using Only Rate Limiting
+
+To use rate limiting without threat detection:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-rate-limit@kubernetescrd
+```
+
+## Monitoring
+
+View active decisions (blocked IPs):
+```bash
+kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list
+```
+
+View registered bouncers:
+```bash
+kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
+```
+
+View alerts:
+```bash
+kubectl exec -n crowdsec deploy/crowdsec -- cscli alerts list
+```
+
+View metrics (Prometheus format):
+```bash
+kubectl port-forward -n crowdsec svc/crowdsec-lapi 6060:6060
+curl http://localhost:6060/metrics
+```
+
+## Threat Intelligence
+
+CrowdSec includes these detection collections:
+- `crowdsecurity/traefik` - Traefik-specific detections
+- `crowdsecurity/http-cve` - Known HTTP CVE exploits
+- `crowdsecurity/whitelist-good-actors` - Whitelist for known good actors (search engines, etc.)
+
+Enabled scenarios:
+- HTTP probing and path traversal detection
+- Bad user agent detection
+- Sensitive file access attempts
+- HTTP crawling detection
+- SSH brute force (if exposed)
+
+## Troubleshooting
+
+**Bouncer not connecting to agent:**
+```bash
+kubectl logs -n crowdsec deploy/traefik-crowdsec-bouncer
+kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
+```
+
+**Check if middleware is applied:**
+```bash
+kubectl get middleware -n crowdsec
+kubectl describe ingressroute -n <app-namespace> <route-name>
+```
+
+**View CrowdSec logs:**
+```bash
+kubectl logs -n crowdsec deploy/crowdsec
+```