Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
# Minikube apiserver — flags managed by static pod manifests.
|
|
|
|
|
Mutelist:
|
|
|
|
|
Accounts:
|
|
|
|
|
"*":
|
|
|
|
|
Checks:
|
|
|
|
|
"apiserver_always_pull_images_plugin":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Only the operator has cluster access; all images pulled from private zot registry."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_audit_log_maxage_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_audit_log_maxbackup_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_audit_log_maxsize_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_audit_log_path_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_deny_service_external_ips":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "No external IPs routable; cluster only reachable via tailnet."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_disable_profiling":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Profiling endpoint unreachable from public internet."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_encryption_provider_config_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Etcd not network-exposed; only operator has node access."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_kubelet_cert_auth":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Kubelet API not exposed outside the node; minikube auto-generates certificates."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_request_timeout_set":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "API server only reachable via tailnet; DoS risk limited to trusted clients."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_service_account_lookup_true":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "Only operator manages service accounts; no revoked tokens in circulation."
|
Add Prowler mutelist and fix kube-state-metrics seccomp (#319)
## Summary
- Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
- Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer
- Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment
### Mutelist categories
| File | Checks | Covers |
|------|--------|--------|
| `apiserver.yaml` | 12 | Minikube apiserver flags |
| `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet |
| `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner |
| `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG |
Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail.
### Not muted (follow-up)
- Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)
## Test plan
- [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly
- [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler`
- [ ] Verify initContainer merges successfully (check pod logs)
- [ ] Verify muted findings show as `MUTED` in report
- [ ] Sync kube-state-metrics and verify pod starts with seccomp profile
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319
2026-03-30 17:22:31 -07:00
|
|
|
"apiserver_strong_ciphers_only":
|
|
|
|
|
Regions: ["*"]
|
|
|
|
|
Resources: ["^kube-apiserver-minikube$"]
|
2026-05-22 21:08:53 -07:00
|
|
|
Description: "API server traffic encrypted by WireGuard at the network layer."
|