--- title: Deploy Prowler CIS Scanner modified: 2026-03-24 last-reviewed: 2026-03-24 tags: - how-to - kubernetes - security - compliance --- # Deploy Prowler CIS Scanner Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka. ## What it checks ### Kubernetes CIS benchmarks (Sunday 3am) Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into: | Category | Checks | How it works | |----------|--------|-------------| | **Core (pod security)** | 13 | Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp | | **RBAC** | 9 | Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings | | **Apiserver** | 29 | Inspects `kube-apiserver` pod args in kube-system (TLS, auth, audit, admission plugins) | | **Etcd** | 7 | Inspects `etcd` pod args (TLS, cert auth) | | **Controller Manager** | 7 | Inspects `kube-controller-manager` pod args | | **Kubelet** | 16 | Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID) | | **Scheduler** | 2 | Inspects `kube-scheduler` pod args | **Minikube relevance:** Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this). **k3s note:** k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider `kube-bench` for k3s control plane checks. ### Image vulnerability scanning (Saturday 3am) Prowler's image provider scans all `blumeops/*` container images in `registry.ops.eblu.me` for: - **CVEs** — known vulnerabilities from NVD, Alpine SecDB, Debian Security Tracker, and other sources - **Embedded secrets** — credentials or API keys baked into image layers - **Misconfigurations** — Dockerfile best practices (running as root, missing HEALTHCHECK, etc.) Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-images/`. To run an ad-hoc image scan: ```fish kubectl create job --from=cronjob/prowler-image-scan prowler-image-manual -n prowler --context=minikube-indri ``` ### IaC scanning (Saturday 2am) Prowler's IaC provider scans the blumeops repository (cloned at scan time) for misconfigurations in: - **Dockerfiles** — running as root, using `latest` tags, missing `HEALTHCHECK` - **Kubernetes manifests** — missing resource limits, privileged containers, insecure settings - **Other IaC files** — Terraform, CloudFormation, etc. if present Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-iac/`. To run an ad-hoc IaC scan: ```fish kubectl create job --from=cronjob/prowler-iac-scan prowler-iac-manual -n prowler --context=minikube-indri ``` ## Reports Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them. ## Running an ad-hoc scan ```fish kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri ``` Watch progress: ```fish kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri ``` ## Container Custom slim build at `containers/prowler/Dockerfile` — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See [[build-container-image]] for the build/release process. Source is mirrored at `forge.ops.eblu.me/mirrors/prowler`. ## See also - [[security]] — security & compliance posture overview - [[read-compliance-reports]] — how to access and interpret scan reports - [[deploy-k8s-service]] — general K8s deployment how-to - [[build-container-image]] — container build pipeline