diff --git a/crowdsec-docs/docs/log_processor/data_sources/introduction.md b/crowdsec-docs/docs/log_processor/data_sources/introduction.md index 25aff98c5..c8decdec0 100644 --- a/crowdsec-docs/docs/log_processor/data_sources/introduction.md +++ b/crowdsec-docs/docs/log_processor/data_sources/introduction.md @@ -26,6 +26,7 @@ Name | Type | Stream | One-shot [HTTP](/log_processor/data_sources/http.md) | read logs from an HTTP endpoint | yes | no [journald](/log_processor/data_sources/journald.md) | journald via filter | yes | yes [Kafka](/log_processor/data_sources/kafka.md)| read logs from kafka topic | yes | no +[Kubernetes](/log_processor/data_sources/kubernetes.md) | stream container logs from pods selected by labels | yes | no [Kubernetes Audit](/log_processor/data_sources/kubernetes_audit.md) | expose a webhook to receive audit logs from a Kubernetes cluster | yes | no [Loki](/log_processor/data_sources/loki.md) | read logs from loki | yes | yes [VictoriaLogs](/log_processor/data_sources/victorialogs.md) | read logs from VictoriaLogs | yes | yes diff --git a/crowdsec-docs/docs/log_processor/data_sources/kubernetes.md b/crowdsec-docs/docs/log_processor/data_sources/kubernetes.md new file mode 100644 index 000000000..66230e553 --- /dev/null +++ b/crowdsec-docs/docs/log_processor/data_sources/kubernetes.md @@ -0,0 +1,70 @@ +--- +id: kubernetes +title: Kubernetes +--- + +This module allows the `Security Engine` to stream container logs from pods running in a Kubernetes cluster via the Kubernetes API. It only operates in streaming (`tail`) mode: when a pod matching the selector starts or restarts, the datasource follows every container's stdout/stderr until the pod disappears. CrowdSec always attempts to authenticate using the in-cluster service-account first (leveraging `rest.InClusterConfig`) and **only if that fails** will it fall back to kubeconfig/explicit overrides. + +## Configuration example + +### Running inside the cluster + +```yaml +source: kubernetes +namespace: crowdsec +selector: "app=crowdsec-agent" +labels: + type: crowdsec +``` + +### Using a kubeconfig file + +```yaml +source: kubernetes +namespace: ingress-nginx +selector: "app.kubernetes.io/name=ingress-nginx" +kube_config: /etc/rancher/k3s/k3s.yaml +kube_context: production +labels: + type: nginx +``` + +Look at the `configuration parameters` to view all supported options. + +## Parameters + +### `selector` + +Label selector applied to pods in the target namespace. Supports the standard Kubernetes selector syntax (for example `app=caddy`, `component in (frontend,backend)` or `app!=nginx`); see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for the full grammar. This field is mandatory and prevents the datasource from tailling every pod in the namespace. + +### `namespace` + +Namespace that contains the pods you want to follow. Defaults to `default`. Define multiple datasource entries if you need to cover several namespaces. + +### `kube_config` + +Path to a kubeconfig file to use when the agent runs outside the cluster. Defaults to `~/.kube/config`. The datasource always tries to use the in-cluster service-account first and only reads the kubeconfig file when in-cluster credentials are not available. + +### `kube_context` + +Optional name of the kubeconfig context to load (falls back to the kubeconfig current-context when omitted). Only used together with `kube_config`. + +### `labels` + +Labels attached to the emitted events. As with other datasources, the `type` label is required so that CrowdSec can pick the matching parser/collection. + +### `source` + +Must be `kubernetes`. + +### `mode` + +Only the `tail` mode is supported. + +:::note +The CrowdSec service account (or user provided in the kubeconfig) must be allowed to `list`, `watch` and `get` pods as well as `get` pod logs (`pods/log`) in each namespace you configure. +::: + +## DSN and command-line + +This datasource does not support acquisition from the command line. diff --git a/crowdsec-docs/sidebars.ts b/crowdsec-docs/sidebars.ts index 104d0a5fd..9b5e21bd8 100644 --- a/crowdsec-docs/sidebars.ts +++ b/crowdsec-docs/sidebars.ts @@ -46,6 +46,7 @@ const sidebarsConfig: SidebarConfig = { "log_processor/data_sources/http", "log_processor/data_sources/journald", "log_processor/data_sources/kafka", + "log_processor/data_sources/kubernetes", "log_processor/data_sources/kubernetes_audit", "log_processor/data_sources/loki", "log_processor/data_sources/victorialogs",