eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Deploy Prowler CIS scanner #310

Merged
eblume merged 7 commits from deploy-prowler into main 2026-03-24 16:08:10 -07:00
Conversation 0 Commits 7 Files changed 16 +449 -25
eblume commented 2026-03-24 15:05:04 -07:00
Owner
Copy link

Summary

  • Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning
  • Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream)
  • Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at /volume1/reports/prowler/
  • Read-only ClusterRole for pod, RBAC, and control plane inspection
  • Host path mounts + hostPID for kubelet file permission checks

Follow-ups

  • Mirror prowler-cloud/prowler on forge for supply chain control
  • Build and push container image, update kustomization.yaml newTag
  • Consider adding k3s-ringtail scanning (core + RBAC checks only)

Test plan

  • Build container: mise run container-release prowler v5.22.0
  • Update argocd/manifests/prowler/kustomization.yaml newTag to built image tag
  • Sync ArgoCD: argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler
  • Trigger manual job: kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri
  • Verify reports appear on sifaka NFS share
  • mise run services-check

🤖 Generated with Claude Code

## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Custom slim container (no PowerShell/Trivy), NFS-backed reports
on sifaka:/volume1/reports/prowler/, ClusterRole with read-only
RBAC for Kubernetes CIS Benchmark v1.11 checks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clone from forge.ops.eblu.me/mirrors/prowler instead of GitHub
directly. Mirror already exists. Fix OCI source label to use
canonical forge.eblu.me URL per repo convention. Add prowler
entry to service-versions.yaml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The build-container-nix.yaml workflow was merged into
build-container.yaml. Remove the second dispatch that now 404s.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Mount /volume1/reports (share root) not /volume1/reports/prowler.
Prowler writes to /reports/prowler/ subdirectory within the mount.
This allows other services to share the same NFS share.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Split report-reading guidance out of deploy-prowler into its own
how-to (read-compliance-reports). Add security & compliance
reference card (reference/operations/security) following the
pattern of the observability card.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
eblume merged commit d021b3534f into main 2026-03-24 16:08:10 -07:00
eblume referenced this pull request from a commit 2026-03-24 16:08:11 -07:00
Deploy Prowler CIS scanner (#310)
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!310
No description provided.