# Minikube apiserver — flags managed by static pod manifests.
Mutelist:
  Accounts:
    "*":
      Checks:
        "apiserver_always_pull_images_plugin":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Only the operator has cluster access; all images pulled from private zot registry."
        "apiserver_audit_log_maxage_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Alloy/Loki provides pod-level audit trail."
        "apiserver_audit_log_maxbackup_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Alloy/Loki provides pod-level audit trail."
        "apiserver_audit_log_maxsize_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Alloy/Loki provides pod-level audit trail."
        "apiserver_audit_log_path_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Alloy/Loki provides pod-level audit trail."
        "apiserver_deny_service_external_ips":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "No external IPs routable; cluster only reachable via tailnet."
        "apiserver_disable_profiling":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Profiling endpoint unreachable from public internet."
        "apiserver_encryption_provider_config_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Etcd not network-exposed; only operator has node access."
        "apiserver_kubelet_cert_auth":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Kubelet API not exposed outside the node; minikube auto-generates certificates."
        "apiserver_request_timeout_set":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "API server only reachable via tailnet; DoS risk limited to trusted clients."
        "apiserver_service_account_lookup_true":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "Only operator manages service accounts; no revoked tokens in circulation."
        "apiserver_strong_ciphers_only":
          Regions: ["*"]
          Resources: ["^kube-apiserver-minikube$"]
          Description: "API server traffic encrypted by WireGuard at the network layer."