Deploy Prowler CIS scanner (#310)

## Summary
- Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning
- Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream)
- Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/`
- Read-only ClusterRole for pod, RBAC, and control plane inspection
- Host path mounts + hostPID for kubelet file permission checks

## Follow-ups
- Mirror prowler-cloud/prowler on forge for supply chain control
- Build and push container image, update kustomization.yaml newTag
- Consider adding k3s-ringtail scanning (core + RBAC checks only)

## Test plan
- [ ] Build container: `mise run container-release prowler v5.22.0`
- [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag
- [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler`
- [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri`
- [ ] Verify reports appear on sifaka NFS share
- [ ] `mise run services-check`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #310

docs/how-to/operations/deploy-prowler.md

@@ -0,0 +1,61 @@
+---
+title: Deploy Prowler CIS Scanner
+modified: 2026-03-24
+last-reviewed: 2026-03-24
+tags:
+  - how-to
+  - kubernetes
+  - security
+  - compliance
+---
+
+# Deploy Prowler CIS Scanner
+
+Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka.
+
+## What it checks
+
+Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into:
+
+| Category | Checks | How it works |
+|----------|--------|-------------|
+| **Core (pod security)** | 13 | Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp |
+| **RBAC** | 9 | Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings |
+| **Apiserver** | 29 | Inspects `kube-apiserver` pod args in kube-system (TLS, auth, audit, admission plugins) |
+| **Etcd** | 7 | Inspects `etcd` pod args (TLS, cert auth) |
+| **Controller Manager** | 7 | Inspects `kube-controller-manager` pod args |
+| **Kubelet** | 16 | Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID) |
+| **Scheduler** | 2 | Inspects `kube-scheduler` pod args |
+
+**Minikube relevance:** Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this).
+
+**k3s note:** k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider `kube-bench` for k3s control plane checks.
+
+## Reports
+
+Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them.
+
+## Running an ad-hoc scan
+
+```fish
+kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri
+```
+
+Watch progress:
+
+```fish
+kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri
+```
+
+## Container
+
+Custom slim build at `containers/prowler/Dockerfile` — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See [[build-container-image]] for the build/release process.
+
+Source is mirrored at `forge.ops.eblu.me/mirrors/prowler`.
+
+## See also
+
+- [[security]] — security & compliance posture overview
+- [[read-compliance-reports]] — how to access and interpret scan reports
+- [[deploy-k8s-service]] — general K8s deployment how-to
+- [[build-container-image]] — container build pipeline

docs/how-to/operations/read-compliance-reports.md

@@ -0,0 +1,79 @@
+---
+title: Read Compliance Reports
+modified: 2026-03-24
+last-reviewed: 2026-03-24
+tags:
+  - how-to
+  - security
+  - compliance
+---
+
+# Read Compliance Reports
+
+How to access and interpret compliance scan reports from [[prowler]] and other security scanners.
+
+## Accessing reports
+
+Reports are stored on sifaka at `/volume1/reports/`. Each scanner writes to its own subdirectory:
+
+| Scanner | Path | Schedule |
+|---------|------|----------|
+| [[prowler]] | `sifaka:/volume1/reports/prowler/` | Weekly (Sunday 3am) |
+
+Copy reports to your local machine (remember `scp -O` for sifaka):
+
+```fish
+scp -O sifaka:/volume1/reports/prowler/prowler-output-In-Cluster-*.html /tmp/
+open /tmp/prowler-output-In-Cluster-*.html
+```
+
+## Report formats
+
+### HTML
+
+Open in a browser. Self-contained, filterable by severity, status, and service. Best for human review — shows pass/fail per check with remediation guidance.
+
+### CSV
+
+One row per finding. Columns include check ID, status, severity, resource, namespace, description, and remediation. Good for filtering in a spreadsheet or scripting.
+
+### JSON-OCSF
+
+Open Cybersecurity Schema Framework format. Machine-parseable, suitable for SIEM ingestion or programmatic analysis.
+
+### Compliance CSV
+
+In the `compliance/` subdirectory. Findings mapped to specific framework requirement IDs (e.g., CIS 1.11 section numbers). Shows which controls pass or fail.
+
+## Interpreting results
+
+### Status values
+
+- **PASS** — the resource is configured securely per the check
+- **FAIL** — remediation is recommended
+- **MANUAL** — Prowler cannot determine the result automatically (e.g., kubelet file permissions when not running on the node)
+- **MUTED** — the finding was explicitly suppressed via a mutelist
+
+### Severity
+
+Findings are categorized as **critical**, **high**, **medium**, or **low**. Focus on critical and high first.
+
+### Expected failures
+
+Not all failures require action. Common expected failures in our minikube cluster:
+
+- **Core/pod security (high):** System pods (ArgoCD, external-secrets, tailscale-operator) legitimately need elevated privileges. These can be mutelisted.
+- **Apiserver (medium):** Audit logging, profiling, and some admission plugins are not configured in minikube defaults. Low risk for a homelab.
+- **Kubelet (high):** Anonymous auth or read-only port settings from minikube defaults.
+
+### Acting on findings
+
+1. **Triage** — review new failures, distinguish real issues from expected noise
+2. **Remediate** — fix what you can (pod security contexts, RBAC tightening)
+3. **Mutelist** — suppress expected/accepted failures via Prowler's `--mutelist-file` to reduce noise in future scans
+4. **Track** — compare reports over time to spot regressions
+
+## See also
+
+- [[security]] — security & compliance posture overview
+- [[deploy-prowler]] — Prowler deployment and ad-hoc scans