wild-cloud/wild-directory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9687fad812c779ba0cccd7810b348b2a94c4896a
wild-directory/crowdsec/README.md
Paul Payne 9687fad812 feat: Move cluster services to wild-directory as unified packages 
Convert all 15 cluster services from embedded API format to
wild-directory packages using the unified manifest format:
- metallb, traefik, cert-manager, longhorn, snapshot-controller
- nfs, smtp, coredns, node-feature-discovery, nvidia-device-plugin
- externaldns, docker-registry, headlamp, crowdsec, utils

Changes:
- wild-manifest.yaml → manifest.yaml with is, defaultConfig, requires
- Eliminated configReferences and serviceConfig fields
- Flattened kustomize.template/ to package root
- Template vars use flat defaultConfig keys
- install.sh paths updated for apps/ layout
- Updated 9 app manifests: cloud.smtp.* → apps.smtp.* with requires
- Removed dead install: true field from 6 app manifests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-17 02:26:46 +00:00

3.0 KiB
Raw Blame History

CrowdSec Security Service

CrowdSec is an open-source security engine that analyzes traffic patterns and blocks malicious actors. This service integrates CrowdSec with Traefik to provide automatic threat detection and rate limiting for all Wild Cloud ingresses.

Components

  • CrowdSec Agent: Analyzes traffic patterns, maintains decision lists, and connects to the CrowdSec threat intelligence network
  • Traefik Bouncer: Integrates with Traefik via ForwardAuth to enforce CrowdSec decisions
  • Security Middlewares: Traefik middleware for rate limiting and security headers

Default Protection

After installation, all ingresses are automatically protected with:

  • Threat detection (blocks known malicious IPs and attack patterns)
  • Rate limiting (100 requests per minute per IP)
  • Security headers (HSTS, XSS protection, content-type sniffing prevention)

Configuration

Configuration is stored in config.yaml under apps.crowdsec:

apps:
  crowdsec:
    rateLimitAverage: "100"
    rateLimitBurst: "100"

Secrets

Secrets are stored in secrets.yaml under apps.crowdsec:

apps:
  crowdsec:
    agentPassword: <auto-generated>
    bouncerApiKey: <auto-generated>

Opting Out

To disable CrowdSec protection for a specific ingress (e.g., webhooks, health checks):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: ""

Using Only Rate Limiting

To use rate limiting without threat detection:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-rate-limit@kubernetescrd

Monitoring

View active decisions (blocked IPs):

kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list

View registered bouncers:

kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list

View alerts:

kubectl exec -n crowdsec deploy/crowdsec -- cscli alerts list

View metrics (Prometheus format):

kubectl port-forward -n crowdsec svc/crowdsec-lapi 6060:6060
curl http://localhost:6060/metrics

Threat Intelligence

CrowdSec includes these detection collections:

  • crowdsecurity/traefik - Traefik-specific detections
  • crowdsecurity/http-cve - Known HTTP CVE exploits
  • crowdsecurity/whitelist-good-actors - Whitelist for known good actors (search engines, etc.)

Enabled scenarios:

  • HTTP probing and path traversal detection
  • Bad user agent detection
  • Sensitive file access attempts
  • HTTP crawling detection
  • SSH brute force (if exposed)

Troubleshooting

Bouncer not connecting to agent:

kubectl logs -n crowdsec deploy/traefik-crowdsec-bouncer
kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list

Check if middleware is applied:

kubectl get middleware -n crowdsec
kubectl describe ingressroute -n <app-namespace> <route-name>

View CrowdSec logs:

kubectl logs -n crowdsec deploy/crowdsec