Erich Blume
fe201a495c
Clone repo in init container, scan Dockerfiles and K8s manifests with Prowler's IaC provider (Trivy). Reports written to sifaka:/volume1/reports/prowler-iac/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.7 KiB
| title | modified | last-reviewed | tags | ||||
|---|---|---|---|---|---|---|---|
| Deploy Prowler CIS Scanner | 2026-03-24 | 2026-03-24 |
|
Deploy Prowler CIS Scanner
Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka.
What it checks
Kubernetes CIS benchmarks (Sunday 3am)
Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into:
| Category | Checks | How it works |
|---|---|---|
| Core (pod security) | 13 | Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp |
| RBAC | 9 | Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings |
| Apiserver | 29 | Inspects kube-apiserver pod args in kube-system (TLS, auth, audit, admission plugins) |
| Etcd | 7 | Inspects etcd pod args (TLS, cert auth) |
| Controller Manager | 7 | Inspects kube-controller-manager pod args |
| Kubelet | 16 | Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID) |
| Scheduler | 2 | Inspects kube-scheduler pod args |
Minikube relevance: Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this).
k3s note: k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider kube-bench for k3s control plane checks.
Image vulnerability scanning (Saturday 3am)
Prowler's image provider scans all blumeops/* container images in registry.ops.eblu.me for:
- CVEs — known vulnerabilities from NVD, Alpine SecDB, Debian Security Tracker, and other sources
- Embedded secrets — credentials or API keys baked into image layers
- Misconfigurations — Dockerfile best practices (running as root, missing HEALTHCHECK, etc.)
Uses Trivy under the hood. Reports are written to sifaka:/volume1/reports/prowler-images/.
To run an ad-hoc image scan:
kubectl create job --from=cronjob/prowler-image-scan prowler-image-manual -n prowler --context=minikube-indri
IaC scanning (Saturday 2am)
Prowler's IaC provider scans the blumeops repository (cloned at scan time) for misconfigurations in:
- Dockerfiles — running as root, using
latesttags, missingHEALTHCHECK - Kubernetes manifests — missing resource limits, privileged containers, insecure settings
- Other IaC files — Terraform, CloudFormation, etc. if present
Uses Trivy under the hood. Reports are written to sifaka:/volume1/reports/prowler-iac/.
To run an ad-hoc IaC scan:
kubectl create job --from=cronjob/prowler-iac-scan prowler-iac-manual -n prowler --context=minikube-indri
Reports
Reports are written to sifaka:/volume1/reports/prowler/ with timestamped filenames. See read-compliance-reports for how to access and interpret them.
Running an ad-hoc scan
kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri
Watch progress:
kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri
Container
Custom slim build at containers/prowler/Dockerfile — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See build-container-image for the build/release process.
Source is mirrored at forge.ops.eblu.me/mirrors/prowler.
See also
- security — security & compliance posture overview
- read-compliance-reports — how to access and interpret scan reports
- deploy-k8s-service — general K8s deployment how-to
- build-container-image — container build pipeline