blumeops/argocd/manifests/prowler/mutelist/rbac.yaml

# RBAC checks — built-in Kubernetes roles and operator roles that require
# broad permissions by design.
Mutelist:
  Accounts:
    "*":
      Checks:
        "rbac_minimize_wildcard_use_roles":
          Regions: ["*"]
          Resources:
            # Built-in Kubernetes roles
            - "^cluster-admin$"
            - "^system:"
            # ArgoCD
            - "^argocd-"
          Description: >-
            Built-in K8s roles: only operator can bind them. ArgoCD:
            requires broad access but is SSO-gated via Authentik OIDC.
        "rbac_minimize_pod_creation_access":
          Regions: ["*"]
          Resources:
            # Built-in Kubernetes roles
            - "^admin$"
            - "^edit$"
            - "^system:"
            # CloudNativePG operator
            - "^cnpg-manager$"
          Description: >-
            Built-in K8s roles and CNPG operator. Only the operator can
            assign these roles; no untrusted users have cluster access.
        "rbac_minimize_service_account_token_creation":
          Regions: ["*"]
          Resources:
            - "^system:"
          Description: >-
            kube-controller-manager requires token creation for SA
            management. Only operator manages service accounts.
Add Prowler mutelist and fix kube-state-metrics seccomp (#319) ## Summary - Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control - Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer - Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment ### Mutelist categories \| File \| Checks \| Covers \| \|------\|--------\|--------\| \| `apiserver.yaml` \| 12 \| Minikube apiserver flags \| \| `control-plane.yaml` \| 3 \| Scheduler, controller-manager, kubelet \| \| `core-pod-security.yaml` \| 7 \| System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner \| \| `rbac.yaml` \| 3 \| Built-in K8s roles, ArgoCD, CNPG \| Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail. ### Not muted (follow-up) - Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed) ## Test plan - [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly - [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler` - [ ] Verify initContainer merges successfully (check pod logs) - [ ] Verify muted findings show as `MUTED` in report - [ ] Sync kube-state-metrics and verify pod starts with seccomp profile 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319 2026-03-30 17:22:31 -07:00			`# RBAC checks — built-in Kubernetes roles and operator roles that require`
			`# broad permissions by design.`
			`Mutelist:`
			`Accounts:`
			`"*":`
			`Checks:`
			`"rbac_minimize_wildcard_use_roles":`
			`Regions: ["*"]`
			`Resources:`
			`# Built-in Kubernetes roles`
			`- "^cluster-admin$"`
			`- "^system:"`
Add compensating controls framework and date-based report dirs (#320) ## Summary - Add `compensating-controls.yaml` tracking 9 named controls that justify suppressed security findings - Update all Prowler mutelist descriptions with `CC: <id>` references to named controls - Add `mise run review-compensating-controls` task — surfaces stalest control with all codebase references - Add [[review-compensating-controls]] how-to doc - Organize Prowler and Kingfisher reports into `YYYY-MM-DD` subdirectories ### Compensating controls \| ID \| Mitigates \| \|----\|-----------\| \| `single-user-cluster` \| Image cache abuse, RBAC breadth, system pod privileges \| \| `tailscale-network-isolation` \| Profiling endpoints, weak TLS, debug ports \| \| `local-registry` \| AlwaysPullImages gap \| \| `sso-gated-admin-tools` \| ArgoCD wildcard RBAC \| \| `operator-managed-pods` \| Tailscale proxy pod security settings \| \| `ephemeral-privileged-jobs` \| Prowler hostPID exposure \| \| `trusted-ci-only` \| Forgejo runner DinD \| \| `init-container-isolation` \| Grafana root init container \| \| `observability-stack-audit` \| Missing apiserver audit logging \| ## Test plan - [ ] `mise run review-compensating-controls` shows table and references - [ ] `kubectl kustomize argocd/manifests/prowler/` renders correctly - [ ] Sync prowler and kingfisher, verify next scan writes to dated subdirectory - [ ] Grep for `CC:` in mutelist files — every muted finding should have at least one 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/320 2026-03-30 17:44:11 -07:00			`# ArgoCD`
Add Prowler mutelist and fix kube-state-metrics seccomp (#319) ## Summary - Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control - Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer - Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment ### Mutelist categories \| File \| Checks \| Covers \| \|------\|--------\|--------\| \| `apiserver.yaml` \| 12 \| Minikube apiserver flags \| \| `control-plane.yaml` \| 3 \| Scheduler, controller-manager, kubelet \| \| `core-pod-security.yaml` \| 7 \| System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner \| \| `rbac.yaml` \| 3 \| Built-in K8s roles, ArgoCD, CNPG \| Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail. ### Not muted (follow-up) - Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed) ## Test plan - [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly - [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler` - [ ] Verify initContainer merges successfully (check pod logs) - [ ] Verify muted findings show as `MUTED` in report - [ ] Sync kube-state-metrics and verify pod starts with seccomp profile 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319 2026-03-30 17:22:31 -07:00			`- "^argocd-"`
			`Description: >-`
Rip out compensating-controls framework (#359) ## Summary Removes the compensating-controls (CC) framework. Prowler and Kingfisher continue to run weekly and produce reports; the Prowler mutelist YAML files stay in place but no longer carry \`CC: <id>\` prefixes — each entry now just keeps a free-form \`Description\` of why it's muted. The CC review cadence proved to be more process overhead than this single-operator homelab needed. ## What changed Deleted - \`compensating-controls.yaml\` — the CC registry - \`mise-tasks/review-compensating-controls\` — the staleness-review task - \`docs/how-to/operations/review-compensating-controls.md\` - \`docs/how-to/operations/record-review-evidence.md\` (was aspirational) - \`docs/explanation/compliance-mute-categories.md\` (proposed-future CC/NA/RA work) - 5 orphan \`+review-cc-\` / \`+compliance-mute-categories\` changelog fragments Modified* - 6 mutelist YAML files: stripped \`CC: <id>.\` prefix from every \`Description\` / \`statement\` field, kept the free-form text - \`mise-tasks/review-compliance-reports\`: removed CC mentions from docstrings, panel text, and the node-verification table title. Node-verification logic itself is unchanged. - \`docs/reference/operations/security.md\`: removed the "Compensating controls" section - \`docs/how-to/operations/read-compliance-reports.md\`: rewrote step 3 of "Acting on findings" to point at the mutelist YAML directly - \`docs/changelog.d/prowler-iac-mutelist.infra.md\`: rewrote to drop the "two new compensating controls" framing ## What did not change - All Prowler manifests (cronjobs, RBAC, PVs, kustomization) — scans still run on the same schedule - The Kingfisher deployment - The trivy-shim in the Prowler container — that's about Trivy ignorefile plumbing, independent of the CC concept - The mutelist entries themselves — each \`Resources\` list is unchanged; only the prose of \`Description\` was edited - \`CHANGELOG.md\` — historical releases are left as-is ## Test plan - [ ] Wait for human review before deploying — once merged, re-point ArgoCD: \`argocd app set prowler --revision main && argocd app sync prowler\` (no manifest changes besides the ConfigMap, so impact is limited to muted-finding descriptions in next week's report) - [ ] Confirm next weekly Prowler K8s CIS run (Sunday 3am) still completes and produces a report on sifaka - [ ] Confirm next weekly Prowler IaC run still honors \`trivyignore.yaml\` (the trivy shim is untouched but the ignorefile content was rewritten) - [ ] \`mise run review-compliance-reports\` — verify node-verification block still runs and prints the renamed table title Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/359 2026-05-22 21:08:53 -07:00			`Built-in K8s roles: only operator can bind them. ArgoCD:`
			`requires broad access but is SSO-gated via Authentik OIDC.`
Add Prowler mutelist and fix kube-state-metrics seccomp (#319) ## Summary - Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control - Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer - Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment ### Mutelist categories \| File \| Checks \| Covers \| \|------\|--------\|--------\| \| `apiserver.yaml` \| 12 \| Minikube apiserver flags \| \| `control-plane.yaml` \| 3 \| Scheduler, controller-manager, kubelet \| \| `core-pod-security.yaml` \| 7 \| System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner \| \| `rbac.yaml` \| 3 \| Built-in K8s roles, ArgoCD, CNPG \| Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail. ### Not muted (follow-up) - Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed) ## Test plan - [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly - [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler` - [ ] Verify initContainer merges successfully (check pod logs) - [ ] Verify muted findings show as `MUTED` in report - [ ] Sync kube-state-metrics and verify pod starts with seccomp profile 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319 2026-03-30 17:22:31 -07:00			`"rbac_minimize_pod_creation_access":`
			`Regions: ["*"]`
			`Resources:`
			`# Built-in Kubernetes roles`
			`- "^admin$"`
			`- "^edit$"`
			`- "^system:"`
			`# CloudNativePG operator`
			`- "^cnpg-manager$"`
			`Description: >-`
Rip out compensating-controls framework (#359) ## Summary Removes the compensating-controls (CC) framework. Prowler and Kingfisher continue to run weekly and produce reports; the Prowler mutelist YAML files stay in place but no longer carry \`CC: <id>\` prefixes — each entry now just keeps a free-form \`Description\` of why it's muted. The CC review cadence proved to be more process overhead than this single-operator homelab needed. ## What changed Deleted - \`compensating-controls.yaml\` — the CC registry - \`mise-tasks/review-compensating-controls\` — the staleness-review task - \`docs/how-to/operations/review-compensating-controls.md\` - \`docs/how-to/operations/record-review-evidence.md\` (was aspirational) - \`docs/explanation/compliance-mute-categories.md\` (proposed-future CC/NA/RA work) - 5 orphan \`+review-cc-\` / \`+compliance-mute-categories\` changelog fragments Modified* - 6 mutelist YAML files: stripped \`CC: <id>.\` prefix from every \`Description\` / \`statement\` field, kept the free-form text - \`mise-tasks/review-compliance-reports\`: removed CC mentions from docstrings, panel text, and the node-verification table title. Node-verification logic itself is unchanged. - \`docs/reference/operations/security.md\`: removed the "Compensating controls" section - \`docs/how-to/operations/read-compliance-reports.md\`: rewrote step 3 of "Acting on findings" to point at the mutelist YAML directly - \`docs/changelog.d/prowler-iac-mutelist.infra.md\`: rewrote to drop the "two new compensating controls" framing ## What did not change - All Prowler manifests (cronjobs, RBAC, PVs, kustomization) — scans still run on the same schedule - The Kingfisher deployment - The trivy-shim in the Prowler container — that's about Trivy ignorefile plumbing, independent of the CC concept - The mutelist entries themselves — each \`Resources\` list is unchanged; only the prose of \`Description\` was edited - \`CHANGELOG.md\` — historical releases are left as-is ## Test plan - [ ] Wait for human review before deploying — once merged, re-point ArgoCD: \`argocd app set prowler --revision main && argocd app sync prowler\` (no manifest changes besides the ConfigMap, so impact is limited to muted-finding descriptions in next week's report) - [ ] Confirm next weekly Prowler K8s CIS run (Sunday 3am) still completes and produces a report on sifaka - [ ] Confirm next weekly Prowler IaC run still honors \`trivyignore.yaml\` (the trivy shim is untouched but the ignorefile content was rewritten) - [ ] \`mise run review-compliance-reports\` — verify node-verification block still runs and prints the renamed table title Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/359 2026-05-22 21:08:53 -07:00			`Built-in K8s roles and CNPG operator. Only the operator can`
			`assign these roles; no untrusted users have cluster access.`
Add Prowler mutelist and fix kube-state-metrics seccomp (#319) ## Summary - Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control - Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer - Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment ### Mutelist categories \| File \| Checks \| Covers \| \|------\|--------\|--------\| \| `apiserver.yaml` \| 12 \| Minikube apiserver flags \| \| `control-plane.yaml` \| 3 \| Scheduler, controller-manager, kubelet \| \| `core-pod-security.yaml` \| 7 \| System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner \| \| `rbac.yaml` \| 3 \| Built-in K8s roles, ArgoCD, CNPG \| Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail. ### Not muted (follow-up) - Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed) ## Test plan - [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly - [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler` - [ ] Verify initContainer merges successfully (check pod logs) - [ ] Verify muted findings show as `MUTED` in report - [ ] Sync kube-state-metrics and verify pod starts with seccomp profile 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/319 2026-03-30 17:22:31 -07:00			`"rbac_minimize_service_account_token_creation":`
			`Regions: ["*"]`
			`Resources:`
			`- "^system:"`
			`Description: >-`
Rip out compensating-controls framework (#359) ## Summary Removes the compensating-controls (CC) framework. Prowler and Kingfisher continue to run weekly and produce reports; the Prowler mutelist YAML files stay in place but no longer carry \`CC: <id>\` prefixes — each entry now just keeps a free-form \`Description\` of why it's muted. The CC review cadence proved to be more process overhead than this single-operator homelab needed. ## What changed Deleted - \`compensating-controls.yaml\` — the CC registry - \`mise-tasks/review-compensating-controls\` — the staleness-review task - \`docs/how-to/operations/review-compensating-controls.md\` - \`docs/how-to/operations/record-review-evidence.md\` (was aspirational) - \`docs/explanation/compliance-mute-categories.md\` (proposed-future CC/NA/RA work) - 5 orphan \`+review-cc-\` / \`+compliance-mute-categories\` changelog fragments Modified* - 6 mutelist YAML files: stripped \`CC: <id>.\` prefix from every \`Description\` / \`statement\` field, kept the free-form text - \`mise-tasks/review-compliance-reports\`: removed CC mentions from docstrings, panel text, and the node-verification table title. Node-verification logic itself is unchanged. - \`docs/reference/operations/security.md\`: removed the "Compensating controls" section - \`docs/how-to/operations/read-compliance-reports.md\`: rewrote step 3 of "Acting on findings" to point at the mutelist YAML directly - \`docs/changelog.d/prowler-iac-mutelist.infra.md\`: rewrote to drop the "two new compensating controls" framing ## What did not change - All Prowler manifests (cronjobs, RBAC, PVs, kustomization) — scans still run on the same schedule - The Kingfisher deployment - The trivy-shim in the Prowler container — that's about Trivy ignorefile plumbing, independent of the CC concept - The mutelist entries themselves — each \`Resources\` list is unchanged; only the prose of \`Description\` was edited - \`CHANGELOG.md\` — historical releases are left as-is ## Test plan - [ ] Wait for human review before deploying — once merged, re-point ArgoCD: \`argocd app set prowler --revision main && argocd app sync prowler\` (no manifest changes besides the ConfigMap, so impact is limited to muted-finding descriptions in next week's report) - [ ] Confirm next weekly Prowler K8s CIS run (Sunday 3am) still completes and produces a report on sifaka - [ ] Confirm next weekly Prowler IaC run still honors \`trivyignore.yaml\` (the trivy shim is untouched but the ignorefile content was rewritten) - [ ] \`mise run review-compliance-reports\` — verify node-verification block still runs and prints the renamed table title Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/359 2026-05-22 21:08:53 -07:00			`kube-controller-manager requires token creation for SA`
			`management. Only operator manages service accounts.`