Automate Prowler MANUAL finding verification (#335)

## Summary - Adds automated node-level verification to `review-compliance-reports`: kubelet file perms/ownership, kubelet config args, etcd CA separation, RBAC cluster-admin bindings - Mutes the 14 MANUAL Prowler findings via new `manual-node-checks.yaml` mutelist file - New `node-config-automated-verification` compensating control documents the approach - Script fails loudly (red FAIL + verdict panel) if any check deviates from expected values ## Test plan - [x] `mise run review-compliance-reports` — all 12 node checks PASS - [x] Injected bad expected value (perms 400 vs actual 600) — FAIL rendered correctly - [x] Fixed colon-in-binding-name bug (kubeadm:cluster-admins) with tab-separated jsonpath - [ ] After merge: sync prowler mutelist ConfigMap and verify next scan shows 0 MANUAL findings ## Note Prowler coverage is minikube-indri only — ringtail/k3s is a known gap tracked separately. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #335
2026-04-14 13:00:44 -07:00 · 2026-04-14 13:00:44 -07:00 · be30668eef
commit be30668eef
parent 8c2f035e6d
5 changed files with 278 additions and 1 deletions
--- a/docs/changelog.d/automate-manual-prowler-checks.infra.md
+++ b/docs/changelog.d/automate-manual-prowler-checks.infra.md
@ -0,0 +1 @@
+Automate verification of Prowler MANUAL findings (kubelet file perms, kubelet config, etcd CA, RBAC cluster-admin) in `review-compliance-reports` and mute them with `node-config-automated-verification` compensating control.
				`@ -0,0 +1 @@`
				Automate verification of Prowler MANUAL findings (kubelet file perms, kubelet config, etcd CA, RBAC cluster-admin) in `review-compliance-reports` and mute them with `node-config-automated-verification` compensating control.