Upgrade Prowler to 5.23.0, remove registry workaround (#336)
## Summary - Upgrade Prowler from 5.22.0 to 5.23.0 - Remove the `enumerate-images` init container workaround from `cronjob-image-scan.yaml` - Use native `--registry` and `--image-filter` flags now that upstream fix (PR prowler-cloud/prowler#10470) is released The init container was a workaround for prowler-cloud/prowler#10457 where `--registry` args weren't forwarded to the provider constructor. We wrote the fix, it was merged, and v5.23.0 includes it. ## Test plan - [ ] Build new container (`mise run container-release prowler 5.23.0`) - [ ] Update kustomization.yaml with new image tag - [ ] Sync prowler ArgoCD app from branch - [ ] Manually trigger image scan job and verify `--registry` works natively - [ ] Verify CIS and IaC scan cronjobs still work 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #336
This commit is contained in:
parent
6b690eb033
commit
7c1cd11e45
5 changed files with 7 additions and 43 deletions
|
|
@ -15,39 +15,6 @@ spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
initContainers:
|
|
||||||
# Workaround: Prowler's --registry flag is broken (registry args
|
|
||||||
# not passed to provider constructor). Generate image list from
|
|
||||||
# zot catalog API instead.
|
|
||||||
# See: https://github.com/prowler-cloud/prowler/issues/10457
|
|
||||||
# Fix merged upstream (PR #10470, 2026-03-30) but not yet in a
|
|
||||||
# release (latest: 5.22.0). Remove this initContainer once a
|
|
||||||
# release includes the fix and we upgrade.
|
|
||||||
- name: enumerate-images
|
|
||||||
image: registry.ops.eblu.me/blumeops/prowler:kustomized
|
|
||||||
command: ["python3", "-c"]
|
|
||||||
args:
|
|
||||||
- |
|
|
||||||
import json, urllib.request
|
|
||||||
|
|
||||||
REGISTRY = "https://registry.ops.eblu.me"
|
|
||||||
catalog = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/_catalog").read())
|
|
||||||
images = []
|
|
||||||
for repo in catalog["repositories"]:
|
|
||||||
if not repo.startswith("blumeops/"):
|
|
||||||
continue
|
|
||||||
tags = json.loads(urllib.request.urlopen(f"{REGISTRY}/v2/{repo}/tags/list").read())
|
|
||||||
for tag in tags.get("tags") or []:
|
|
||||||
images.append(f"registry.ops.eblu.me/{repo}:{tag}")
|
|
||||||
|
|
||||||
with open("/shared/images.txt", "w") as f:
|
|
||||||
f.write("\n".join(images) + "\n")
|
|
||||||
print(f"Discovered {len(images)} images")
|
|
||||||
for img in images:
|
|
||||||
print(img)
|
|
||||||
volumeMounts:
|
|
||||||
- name: shared
|
|
||||||
mountPath: /shared
|
|
||||||
containers:
|
containers:
|
||||||
- name: prowler
|
- name: prowler
|
||||||
image: registry.ops.eblu.me/blumeops/prowler:kustomized
|
image: registry.ops.eblu.me/blumeops/prowler:kustomized
|
||||||
|
|
@ -57,20 +24,16 @@ spec:
|
||||||
DATEDIR=/reports/prowler-images/$(date +%Y-%m-%d)
|
DATEDIR=/reports/prowler-images/$(date +%Y-%m-%d)
|
||||||
mkdir -p "$DATEDIR"
|
mkdir -p "$DATEDIR"
|
||||||
prowler image \
|
prowler image \
|
||||||
--image-list /shared/images.txt \
|
--registry https://registry.ops.eblu.me \
|
||||||
|
--image-filter "^blumeops/" \
|
||||||
-z \
|
-z \
|
||||||
--output-formats html csv json-ocsf \
|
--output-formats html csv json-ocsf \
|
||||||
--output-directory "$DATEDIR"
|
--output-directory "$DATEDIR"
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: reports
|
- name: reports
|
||||||
mountPath: /reports
|
mountPath: /reports
|
||||||
- name: shared
|
|
||||||
mountPath: /shared
|
|
||||||
readOnly: true
|
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
volumes:
|
volumes:
|
||||||
- name: reports
|
- name: reports
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
claimName: prowler-reports
|
claimName: prowler-reports
|
||||||
- name: shared
|
|
||||||
emptyDir: {}
|
|
||||||
|
|
|
||||||
|
|
@ -26,4 +26,4 @@ configMapGenerator:
|
||||||
|
|
||||||
images:
|
images:
|
||||||
- name: registry.ops.eblu.me/blumeops/prowler
|
- name: registry.ops.eblu.me/blumeops/prowler
|
||||||
newTag: v5.22.0-6960243
|
newTag: v5.23.0-d05b503
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
|
# Prowler CIS scanner — slim build for Kubernetes, image, and IaC providers
|
||||||
# Strips PowerShell (M365) and dashboard dependencies from upstream
|
# Strips PowerShell (M365) and dashboard dependencies from upstream
|
||||||
# Includes Trivy for image vulnerability and IaC scanning
|
# Includes Trivy for image vulnerability and IaC scanning
|
||||||
ARG CONTAINER_APP_VERSION=5.22.0
|
ARG CONTAINER_APP_VERSION=5.23.0
|
||||||
|
|
||||||
FROM python:3.12-slim-bookworm AS build
|
FROM python:3.12-slim-bookworm AS build
|
||||||
|
|
||||||
|
|
|
||||||
1
docs/changelog.d/upgrade-prowler-5.23.infra.md
Normal file
1
docs/changelog.d/upgrade-prowler-5.23.infra.md
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Upgrade Prowler from 5.22.0 to 5.23.0; remove init container workaround for broken `--registry` flag (upstream fix in PR #10470).
|
||||||
|
|
@ -310,8 +310,8 @@ services:
|
||||||
|
|
||||||
- name: prowler
|
- name: prowler
|
||||||
type: argocd
|
type: argocd
|
||||||
last-reviewed: 2026-03-24
|
last-reviewed: 2026-04-14
|
||||||
current-version: "5.22.0"
|
current-version: "5.23.0"
|
||||||
upstream-source: https://github.com/prowler-cloud/prowler/releases
|
upstream-source: https://github.com/prowler-cloud/prowler/releases
|
||||||
notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri
|
notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue