dev.cm/k3s
1
0
派生 0
代码 议题 拉取请求 活动
文件
23723c03cf8e8df78838d60df5e876be38416538
k3s/apps/infra/monitor/crowdsec/helmchart.yaml
T

156 行
6.0 KiB
YAML
原始文件 Blame 文件历史

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: crowdsec
namespace: infra-monitor
spec:
repo: https://crowdsecurity.github.io/helm-charts
chart: crowdsec
targetNamespace: infra-monitor
version: 0.11.0
valuesContent: |-
container_runtime: containerd
image:
tag: v1.6.1-2
agent:
# 由于dataScope为loki,所以此处强制要求部署在loki所在的节点 以节省网络资源
nodeSelector:
kubernetes.io/hostname: alihka
# 此处无实际作用 只是为了过helmChart的校验
acquisition:
- namespace: infra-net
podName: ingress-nginx-controller-*
program: nginx
poll_without_inotify: true
additionalAcquisition:
- source: loki
log_level: info
url: http://loki.infra-monitor:3100/
limit: 1000
query: |
{job="infra-net/ingress-nginx"}
labels:
type: nginx
env:
- name: COLLECTIONS
value: "crowdsecurity/base-http-scenarios"
- name: SCENARIOS
value: "crowdsecurity/nginx-req-limit-exceeded"
persistentVolume:
config:
enabled: false
lapi:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: topology.kubernetes.io/region
operator: In
values:
- cn-hk
weight: 1
resources:
limits:
memory: 200Mi
requests:
cpu: 150m
memory: 100Mi
persistentVolume:
config:
enabled: false
data:
enabled: false
config:
config.yaml.local: |
db_config:
type: postgresql
host: cnpg-cluster-hk-rw.infra-data
port: 5432
db_name: crowdsec
user: app
password: nyrHzh9WWlDZzvVw7bDFo74gKb9zsls0Sy7OwRTDWiRTNPQQQkW85taUFAoX2AIC
sslmode: require
parsers:
s01-parse:
# 新增nginx json日志解析
nginx-logs.yaml: |
filter: "evt.Parsed.program startsWith 'nginx'"
onsuccess: next_stage
name: crowdsecurity/nginx-logs
description: "Parse nginx access and error logs"
pattern_syntax:
NGCUSTOMURIPATH: "(?:/[A-Za-z0-9$.+!*'\\(\\)\\{\\},~:;=@\\#%&_\\-]*)+"
NGCUSTOMURIPATHPARAM: '%{NGCUSTOMURIPATH}(?:%{URIPARAM})?'
nodes:
# nginx access logs
- filter: TrimSpace(evt.Parsed.message) startsWith "{" && UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "nginx") in ["", nil]
statics:
- meta: log_type
value: http_access-log
- target: evt.StrTime
expression: evt.Parsed.time
- meta: service
value: http
- meta: source_ip
expression: evt.Unmarshaled.nginx.remote_addr
- meta: http_status
expression: evt.Unmarshaled.nginx.status
- meta: http_path
expression: evt.Unmarshaled.nginx.request
- meta: http_user_agent
expression: evt.Unmarshaled.nginx.http_user_agent
# nginx error logs
- grok:
pattern: '(%{IPORHOST:target_fqdn} )?%{NGINXERRTIME:time} \[%{LOGLEVEL:loglevel}\] %{NONNEGINT:pid}#%{NONNEGINT:tid}: (\*%{NONNEGINT:cid} )?%{GREEDYDATA:message}, client: %{IPORHOST:remote_addr}, server: %{DATA:target_fqdn}, request: "%{WORD:verb} ([^/]+)?%{NGCUSTOMURIPATHPARAM:request}( HTTP/%{NUMBER:http_version})?", host: "%{IPORHOST}(:%{NONNEGINT})?"'
apply_on: message
statics:
- meta: log_type
value: http_error-log
- target: evt.StrTime
expression: evt.Parsed.time
- meta: service
value: http
- meta: source_ip
expression: "evt.Parsed.remote_addr"
- meta: http_status
expression: "evt.Parsed.status"
- meta: http_path
expression: "evt.Parsed.request"
- meta: http_user_agent
expression: "evt.Parsed.http_user_agent"
- meta: target_fqdn
expression: "evt.Parsed.target_fqdn"
pattern_syntax:
NO_DOUBLE_QUOTE: '[^"]+'
onsuccess: next_stage
nodes:
- filter: "evt.Parsed.message contains 'was not found in'"
pattern_syntax:
USER_NOT_FOUND: 'user "%{NO_DOUBLE_QUOTE:username}" was not found in "%{NO_DOUBLE_QUOTE}"'
grok:
pattern: '%{USER_NOT_FOUND}'
apply_on: message
statics:
- meta: sub_type
value: "auth_fail"
- meta: username
expression: evt.Parsed.username
- filter: "evt.Parsed.message contains 'password mismatch'"
pattern_syntax:
PASSWORD_MISMATCH: 'user "%{NO_DOUBLE_QUOTE:username}": password mismatch'
grok:
pattern: '%{PASSWORD_MISMATCH}'
apply_on: message
statics:
- meta: sub_type
value: "auth_fail"
- meta: username
expression: evt.Parsed.username
- filter: "evt.Parsed.message contains 'limiting requests, excess'"
statics:
- meta: sub_type
value: "req_limit_exceeded"
在新议题中引用 查看 Git Blame 复制永久链接