Add Prowler mutelist and fix kube-state-metrics seccomp #319

Merged

eblume merged 1 commit from prowler-mutelist into main

2026-03-30 17:22:32 -07:00

eblume commented

2026-03-30 17:01:23 -07:00

Owner

Summary

Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control
Mutelist files stored in mutelist/ directory, grouped by category, merged at runtime via initContainer
Fix missing seccomp RuntimeDefault profile on kube-state-metrics deployment

Mutelist categories

File	Checks	Covers
`apiserver.yaml`	12	Minikube apiserver flags
`control-plane.yaml`	3	Scheduler, controller-manager, kubelet
`core-pod-security.yaml`	7	System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner
`rbac.yaml`	3	Built-in K8s roles, ArgoCD, CNPG

Muted findings appear as status=MUTED in reports (not hidden), preserving audit trail.

Not muted (follow-up)

Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed)

Test plan

kubectl kustomize argocd/manifests/prowler/ renders cleanly
Trigger manual scan: kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler
Verify initContainer merges successfully (check pod logs)
Verify muted findings show as MUTED in report
Sync kube-state-metrics and verify pod starts with seccomp profile

🤖 Generated with Claude Code

## Summary - Add mutelist files to suppress expected/accepted Prowler CIS findings from components we don't control - Mutelist files stored in `mutelist/` directory, grouped by category, merged at runtime via initContainer - Fix missing seccomp `RuntimeDefault` profile on kube-state-metrics deployment ### Mutelist categories | File | Checks | Covers | |------|--------|--------| | `apiserver.yaml` | 12 | Minikube apiserver flags | | `control-plane.yaml` | 3 | Scheduler, controller-manager, kubelet | | `core-pod-security.yaml` | 7 | System pods, Tailscale operator, Grafana init, Prowler hostPID, forgejo-runner | | `rbac.yaml` | 3 | Built-in K8s roles, ArgoCD, CNPG | Muted findings appear as `status=MUTED` in reports (not hidden), preserving audit trail. ### Not muted (follow-up) - Alloy, Immich pods missing seccomp — need separate investigation (Helm/operator-managed) ## Test plan - [ ] `kubectl kustomize argocd/manifests/prowler/` renders cleanly - [ ] Trigger manual scan: `kubectl --context=minikube-indri -n prowler create job prowler-mutelist-test --from=cronjob/prowler` - [ ] Verify initContainer merges successfully (check pod logs) - [ ] Verify muted findings show as `MUTED` in report - [ ] Sync kube-state-metrics and verify pod starts with seccomp profile 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit

2026-03-30 17:01:24 -07:00

Add Prowler mutelist and fix kube-state-metrics seccomp 0b68d48eba

Add mutelist files to suppress expected/accepted Prowler findings:
- apiserver: minikube control plane flags (12 checks)
- control-plane: scheduler, controller-manager, kubelet (3 checks)
- core-pod-security: system pods, operator-managed, expected ops (7 checks)
- rbac: built-in K8s roles, ArgoCD, CNPG (3 checks)

Mutelist files are stored individually in mutelist/ for maintainability
and merged at runtime via an initContainer before the scan runs.
Muted findings appear as status=MUTED in reports (not hidden).

Also adds missing seccomp RuntimeDefault profile to kube-state-metrics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>