blumeops/docs/reference/operations/security.md

---
title: Security & Compliance
modified: 2026-03-24
last-reviewed: 2026-03-24
tags:
  - operations
  - security
---

# Security & Compliance

Security posture and compliance scanning for BlumeOps infrastructure.

## Compliance frameworks

| Framework | Tool | Cluster | Notes |
|-----------|------|---------|-------|
| CIS Kubernetes Benchmark v1.11 | [[prowler]] | minikube-indri | Weekly CronJob, ~82 checks |
| PCI DSS v4.0 (K8s mapping) | [[prowler]] | minikube-indri | Reuses CIS checks mapped to PCI requirements |
| ISO 27001:2022 (K8s mapping) | [[prowler]] | minikube-indri | Partial — 22 of 92 controls mapped |

## Scanning tools

- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob)
  - [[deploy-prowler]] — deployment and ad-hoc scan how-to
  - [[read-compliance-reports]] — accessing and interpreting reports

## Identity & access

- [[authentik]] — SSO/OIDC provider for all web services
- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)

## Network & TLS

- [[caddy]] — TLS termination for `*.ops.eblu.me` services
- [[flyio-proxy]] — public ingress via Fly.io tunnel
- Tailscale — zero-trust mesh networking across all nodes

## Secrets management

- [[1password]] — root credential store
- [[external-secrets]] — Kubernetes secrets synced from 1Password

## Reports

All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.

## Known gaps

- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
- Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
- IaC scanning covers the blumeops repo only — no scanning of third-party Helm charts or vendored manifests
Deploy Prowler CIS scanner (#310) ## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.eblu.me/eblume/blumeops/pulls/310 2026-03-24 16:08:09 -07:00			`---`
			`title: Security & Compliance`
			`modified: 2026-03-24`
			`last-reviewed: 2026-03-24`
			`tags:`
			`- operations`
			`- security`
			`---`

			`# Security & Compliance`

			`Security posture and compliance scanning for BlumeOps infrastructure.`

			`## Compliance frameworks`

			`\| Framework \| Tool \| Cluster \| Notes \|`
			`\|-----------\|------\|---------\|-------\|`
			`\| CIS Kubernetes Benchmark v1.11 \| [[prowler]] \| minikube-indri \| Weekly CronJob, ~82 checks \|`
			`\| PCI DSS v4.0 (K8s mapping) \| [[prowler]] \| minikube-indri \| Reuses CIS checks mapped to PCI requirements \|`
			`\| ISO 27001:2022 (K8s mapping) \| [[prowler]] \| minikube-indri \| Partial — 22 of 92 controls mapped \|`

			`## Scanning tools`

			`- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob)`
			`- [[deploy-prowler]] — deployment and ad-hoc scan how-to`
			`- [[read-compliance-reports]] — accessing and interpreting reports`

			`## Identity & access`

			`- [[authentik]] — SSO/OIDC provider for all web services`
			`- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)`

			`## Network & TLS`

			- [[caddy]] — TLS termination for `*.ops.eblu.me` services
			`- [[flyio-proxy]] — public ingress via Fly.io tunnel`
			`- Tailscale — zero-trust mesh networking across all nodes`

			`## Secrets management`

			`- [[1password]] — root credential store`
			`- [[external-secrets]] — Kubernetes secrets synced from 1Password`

			`## Reports`

			All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.

			`## Known gaps`

			`- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)`
			`- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench`
Add Prowler image vulnerability scanning for blumeops containers Add Trivy to the Prowler container for image and IaC scanning. New CronJob (Saturday 3am) scans all blumeops/* images in the registry for CVEs, embedded secrets, and Dockerfile misconfigs. Reports written to sifaka:/volume1/reports/prowler-images/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:43:08 -07:00			- Container image scanning covers `blumeops/*` images only — upstream images (ollama, immich, etc.) are not scanned
Add Prowler IaC scanning of blumeops repo (Saturday 2am) Clone repo in init container, scan Dockerfiles and K8s manifests with Prowler's IaC provider (Trivy). Reports written to sifaka:/volume1/reports/prowler-iac/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 16:49:38 -07:00			`- IaC scanning covers the blumeops repo only — no scanning of third-party Helm charts or vendored manifests`