eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/operations/deploy-prowler.md
Erich Blume 9053ce5955 Add security reference card and compliance report how-to 
Split report-reading guidance out of deploy-prowler into its own
how-to (read-compliance-reports). Add security & compliance
reference card (reference/operations/security) following the
pattern of the observability card.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 16:05:17 -07:00

2.4 KiB
Raw Permalink Blame History

title modified last-reviewed tags
Deploy Prowler CIS Scanner 2026-03-24 2026-03-24
how-to
kubernetes
security
compliance

Deploy Prowler CIS Scanner

Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka.

What it checks

Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into:

Category Checks How it works
Core (pod security) 13 Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp
RBAC 9 Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings
Apiserver 29 Inspects kube-apiserver pod args in kube-system (TLS, auth, audit, admission plugins)
Etcd 7 Inspects etcd pod args (TLS, cert auth)
Controller Manager 7 Inspects kube-controller-manager pod args
Kubelet 16 Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID)
Scheduler 2 Inspects kube-scheduler pod args

Minikube relevance: Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this).

k3s note: k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider kube-bench for k3s control plane checks.

Reports

Reports are written to sifaka:/volume1/reports/prowler/ with timestamped filenames. See read-compliance-reports for how to access and interpret them.

Running an ad-hoc scan

kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri

Watch progress:

kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri

Container

Custom slim build at containers/prowler/Dockerfile — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See build-container-image for the build/release process.

Source is mirrored at forge.ops.eblu.me/mirrors/prowler.

See also