Six critical IaC findings against argocd/manifests/ broke into two
patterns: legitimate-by-design RBAC (mute) and over-broad RBAC (fix).
Plumbing:
- cronjob-iac-scan.yaml now passes --mutelist-file (previously
unused, which is why all IaC findings reported as unmuted)
- new mutelist/iac.yaml is bundled into the prowler-mutelist
ConfigMap and mounted into the IaC cronjob via items: selector
Compensating controls (in compensating-controls.yaml):
- operator-purpose-bound-rbac — external-secrets-operator's whole
function is to manage Secret objects; ClusterRole over secrets
matches its purpose. cert-controller mutates its own validating
webhooks to inject a rotating CA bundle.
- kube-state-metrics-metadata-only — KSM exposes only Secret
metadata via kube_secret_info / kube_secret_labels; the data
field is never read into exposed metrics.
Mutes (mutelist/iac.yaml):
- KSV-0041 for external-secrets/rbac.yaml,
kube-state-metrics/rbac.yaml,
kube-state-metrics-ringtail/rbac.yaml
- KSV-0114 for external-secrets/rbac.yaml
Real fix:
- grafana-clusterrole no longer reads secrets. The dashboard sidecar
(RESOURCE=both → configmap, both init and watch instances) only
needs ConfigMap-labeled dashboards; no Secrets are labeled
grafana_dashboard.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tailscale operator still defaults to privileged proxy pods with no
seccomp profile (issue #7359 open upstream). Control remains valid.
Added note about ProxyClass + device plugin remediation path.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Removed Grafana from the control description — no Prowler finding
references it. Tightened scope to match actual usage (ArgoCD wildcard
RBAC mute). Added workflow-bot scoping note.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Adds automated node-level verification to `review-compliance-reports`: kubelet file perms/ownership, kubelet config args, etcd CA separation, RBAC cluster-admin bindings
- Mutes the 14 MANUAL Prowler findings via new `manual-node-checks.yaml` mutelist file
- New `node-config-automated-verification` compensating control documents the approach
- Script fails loudly (red FAIL + verdict panel) if any check deviates from expected values
## Test plan
- [x] `mise run review-compliance-reports` — all 12 node checks PASS
- [x] Injected bad expected value (perms 400 vs actual 600) — FAIL rendered correctly
- [x] Fixed colon-in-binding-name bug (kubeadm:cluster-admins) with tab-separated jsonpath
- [ ] After merge: sync prowler mutelist ConfigMap and verify next scan shows 0 MANUAL findings
## Note
Prowler coverage is minikube-indri only — ringtail/k3s is a known gap tracked separately.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Reviewed-on: #335
The control claimed all images came from the private registry, but 12+
services pull from external public registries. Updated description to
reflect reality and catalogued external-image categories in notes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Verified: tailscale serve status shows only svc:k8s, ACLs restrict
tag:flyio-target to port 443 with admin/operator ownership only,
indri has no flyio-target tag. All 10 muted findings remain valid.
Noted gap: no automated alerting on new flyio-target devices.
Tracked in Todoist as MC4 (Manual Compliance Control Check CronJob).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Stamp single-user-cluster last-reviewed to 2026-04-01 after verifying
Tailscale ACLs and kubeconfig distribution. Add aspirational how-to card
documenting what PCI DSS evidence collection would look like (CCW,
artifacts, Drata workflow). Link from existing review process card.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
