eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add security reference card and compliance report how-to

Browse source 
Split report-reading guidance out of deploy-prowler into its own
how-to (read-compliance-reports). Add security & compliance
reference card (reference/operations/security) following the
pattern of the observability card.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-03-24 16:05:17 -07:00
commit 9053ce5955
4 changed files with 138 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

53
docs/reference/operations/security.md Normal file
View file

@ -0,0 +1,53 @@
---
title: Security & Compliance
modified: 2026-03-24
last-reviewed: 2026-03-24
tags:
- operations
- security
---
# Security & Compliance
Security posture and compliance scanning for BlumeOps infrastructure.
## Compliance frameworks
| Framework | Tool | Cluster | Notes |
|-----------|------|---------|-------|
| CIS Kubernetes Benchmark v1.11 | [[prowler]] | minikube-indri | Weekly CronJob, ~82 checks |
| PCI DSS v4.0 (K8s mapping) | [[prowler]] | minikube-indri | Reuses CIS checks mapped to PCI requirements |
| ISO 27001:2022 (K8s mapping) | [[prowler]] | minikube-indri | Partial — 22 of 92 controls mapped |
## Scanning tools
- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob)
- [[deploy-prowler]] — deployment and ad-hoc scan how-to
- [[read-compliance-reports]] — accessing and interpreting reports
## Identity & access
- [[authentik]] — SSO/OIDC provider for all web services
- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)
## Network & TLS
- [[caddy]] — TLS termination for `*.ops.eblu.me` services
- [[flyio-proxy]] — public ingress via Fly.io tunnel
- Tailscale — zero-trust mesh networking across all nodes
## Secrets management
- [[1password]] — root credential store
- [[external-secrets]] — Kubernetes secrets synced from 1Password
## Reports
All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.
## Known gaps
- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
- No container image vulnerability scanning yet (Prowler has an `image` provider)
- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy)

2
docs/reference/services/prowler.md
View file

@ -27,4 +27,6 @@ Runs Prowler 5 as a CronJob against minikube-indri, executing CIS Kubernetes Ben
## See also
- [[security]] — security & compliance posture overview
- [[deploy-prowler]] — deployment how-to, ad-hoc scan instructions, check relevance notes
- [[read-compliance-reports]] — how to access and interpret reports