eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/grafana
History
Exact
Erich Blume 495e45d01d Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340) 
## Summary

The weekly Prowler IaC scan reported 6 critical findings against `argocd/manifests/`. They split cleanly into two patterns:

- **Legitimate-by-design RBAC → mute with new compensating controls**
  - `external-secrets-controller`, `external-secrets-cert-controller` manage `secrets` (KSV-0041) and the cert-controller mutates its own webhook configurations (KSV-0114). This is what the operator is *for*. New CC: `operator-purpose-bound-rbac`.
  - `kube-state-metrics` (both `minikube-indri` and `k3s-ringtail`) holds `list/watch` on secrets to expose `kube_secret_info` and `kube_secret_labels` metrics. KSM's metric schema only reads metadata, never the `data:` field. New CC: `kube-state-metrics-metadata-only`.

- **Over-broad RBAC → fix**
  - `grafana-clusterrole` had `get/watch/list` on `secrets` because the dashboard-sidecar config used `RESOURCE=both` (ConfigMaps + Secrets). Nothing in the cluster labels Secrets with `grafana_dashboard=1`, so this was unused power. Switched both sidecar instances to `RESOURCE=configmap` and removed `secrets` from the ClusterRole.

The IaC cronjob also did not previously pass `--mutelist-file`, which is why every IaC finding reported as unmuted regardless of mutelist configuration. The new `mutelist/iac.yaml` is bundled into the existing `prowler-mutelist` ConfigMap and mounted via `items:` selector.

## Test plan

- [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/prowler/` — already passes locally
- [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/grafana/` — already passes locally
- [ ] Deploy from this branch via `argocd app set prowler --revision prowler-iac-mutelist && argocd app sync prowler` and same for `grafana`
- [ ] Manually trigger the IaC cronjob and verify `MUTED=True` on the 6 critical findings (`kubectl --context=minikube-indri -n prowler create job --from=cronjob/prowler-iac-scan prowler-iac-test`)
- [ ] Restart grafana pod and confirm dashboards still render (sidecar still finds them via ConfigMap watch)
- [ ] After verify, `argocd app set <app> --revision main && argocd app sync <app>` post-merge

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #340
2026-04-29 10:43:32 -07:00
..
alerting.yaml Switch Fly proxy to upstream keepalive pools (#337) 2026-04-17 16:39:52 -07:00
datasources.yaml Add OpenTelemetry distributed tracing (Tempo + Beyla eBPF) (#286) 2026-03-05 10:51:07 -08:00
deployment.yaml Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340) 2026-04-29 10:43:32 -07:00
grafana.ini C2: Deploy infrastructure alerting pipeline (#303) 2026-03-22 14:52:56 -07:00
kustomization.yaml Update grafana-sidecar image tag to v2.6.0-61fcd5d (merge build) 2026-04-13 08:02:39 -07:00
provider.yaml Add kustomize images: and configMapGenerator: across services (#264) 2026-02-24 14:25:19 -08:00
pvc.yaml C2: Upgrade Grafana to 12.x with Nix container and Kustomize (#260) 2026-02-23 18:07:18 -08:00
rbac.yaml Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340) 2026-04-29 10:43:32 -07:00
service.yaml C2: Upgrade Grafana to 12.x with Nix container and Kustomize (#260) 2026-02-23 18:07:18 -08:00
serviceaccount.yaml C2: Upgrade Grafana to 12.x with Nix container and Kustomize (#260) 2026-02-23 18:07:18 -08:00