确保crowdsec获取正确的client ip#
ingress 配置#
主要需要启用externalTrafficPolicy: Local,最好同时将controller改为DaemonSet
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ingress-nginx-controller-edge
namespace: ingress-nginx
spec:
chart:
spec:
chart: ingress-nginx
sourceRef:
kind: HelmRepository
name: ingress-nginx
version: 4.13.3
interval: 1m0s
values:
controller:
kind: DaemonSet
service:
annotations:
{
metallb.universe.tf/loadBalancerIPs: 172.16.123.108
}
externalTrafficPolicy: Local
ingressClassResource:
name: nginx-edge
controllerValue: k8s.io/ingress-nginx-edge
Crowdsec配置#
确保配置use_forwarded_for_headers: true、trusted_proxies和ingres的forwarded-for-header
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crowdsec
spec:
chart:
spec:
chart: crowdsec
sourceRef:
kind: HelmRepository
name: crowdsec
version: 0.20.1
interval: 1h11m0s
install:
remediation:
retries: 3
timeout: 1h0m0s
upgrade:
remediation:
retries: 3
timeout: 1h0m0s
values:
# ...
lapi:
# ...
ingress:
enabled: true
ingressClassName: nginx-edge
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
cert-manager.io/private-key-algorithm: ECDSA
cert-manager.io/private-key-size: '384'
nginx.ingress.kubernetes.io/forwarded-for-header: "X-Forwarded-For"
nginx.ingress.kubernetes.io/real-ip-header: "X-Forwarded-For"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
config:
config.yaml.local: |
# ...
api:
server:
auto_registration: # Activate if not using TLS for authentication
enabled: true
token: "${REGISTRATION_TOKEN}" # /!\ do not change
allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
- "127.0.0.1/32"
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
use_forwarded_for_headers: true
trusted_proxies: # CIDR for ingress nginx pods
- 10.244.0.0/16
- 10.245.0.0/16