eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/changelog.d/prowler-iac-mutelist.infra.md

1 line
612 B
Markdown
Raw Normal View History

Address critical Prowler IaC findings via mute + RBAC tightening Six critical IaC findings against argocd/manifests/ broke into two patterns: legitimate-by-design RBAC (mute) and over-broad RBAC (fix). Plumbing: - cronjob-iac-scan.yaml now passes --mutelist-file (previously unused, which is why all IaC findings reported as unmuted) - new mutelist/iac.yaml is bundled into the prowler-mutelist ConfigMap and mounted into the IaC cronjob via items: selector Compensating controls (in compensating-controls.yaml): - operator-purpose-bound-rbac — external-secrets-operator's whole function is to manage Secret objects; ClusterRole over secrets matches its purpose. cert-controller mutates its own validating webhooks to inject a rotating CA bundle. - kube-state-metrics-metadata-only — KSM exposes only Secret metadata via kube_secret_info / kube_secret_labels; the data field is never read into exposed metrics. Mutes (mutelist/iac.yaml): - KSV-0041 for external-secrets/rbac.yaml, kube-state-metrics/rbac.yaml, kube-state-metrics-ringtail/rbac.yaml - KSV-0114 for external-secrets/rbac.yaml Real fix: - grafana-clusterrole no longer reads secrets. The dashboard sidecar (RESOURCE=both → configmap, both init and watch instances) only needs ConfigMap-labeled dashboards; no Secrets are labeled grafana_dashboard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 12:48:54 -07:00
Address the 6 critical Prowler IaC findings against `argocd/manifests/`. The IaC cronjob now passes `--mutelist-file` (previously unused), fed from a new `mutelist/iac.yaml`. Two new compensating controls — `operator-purpose-bound-rbac` and `kube-state-metrics-metadata-only` — justify muting the `external-secrets` and `kube-state-metrics` Secret-access findings (KSV-0041, KSV-0114). Separately, `grafana-clusterrole` is tightened to remove `secrets` access entirely: the dashboard sidecar already only consumes ConfigMap-labeled dashboards, so its `RESOURCE` env var is now `configmap` instead of `both`.
Reference in a new issue Copy permalink