Erich Blume
3166aa88dd
Document the decision to retire the container-image CVE scan and the IaC scan, which generated tens of thousands of un-actioned, un-muted findings weekly with no realized value. The K8s CIS scan (fully mutelisted, runs clean) is retained. Rationale captured in deploy-prowler. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
56 lines
2.5 KiB
Markdown
56 lines
2.5 KiB
Markdown
---
|
|
title: Security & Compliance
|
|
modified: 2026-06-08
|
|
last-reviewed: 2026-03-24
|
|
tags:
|
|
- operations
|
|
- security
|
|
---
|
|
|
|
# Security & Compliance
|
|
|
|
Security posture and compliance scanning for BlumeOps infrastructure.
|
|
|
|
## Compliance frameworks
|
|
|
|
| Framework | Tool | Cluster | Notes |
|
|
|-----------|------|---------|-------|
|
|
| CIS Kubernetes Benchmark v1.11 | [[prowler]] | minikube-indri | Weekly CronJob, ~82 checks |
|
|
| PCI DSS v4.0 (K8s mapping) | [[prowler]] | minikube-indri | Reuses CIS checks mapped to PCI requirements |
|
|
| ISO 27001:2022 (K8s mapping) | [[prowler]] | minikube-indri | Partial — 22 of 92 controls mapped |
|
|
|
|
## Scanning tools
|
|
|
|
- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob). The container-image CVE scan and IaC scan were retired in 2026-06 (un-actioned noise — see [[deploy-prowler#Why only the K8s CIS scan]]); only the K8s CIS scan remains.
|
|
- [[deploy-prowler]] — deployment and ad-hoc scan how-to
|
|
- [[read-compliance-reports]] — accessing and interpreting reports
|
|
- [[kingfisher]] — Secret detection and live validation for Forgejo repos (weekly CronJob + prek hook)
|
|
|
|
## Identity & access
|
|
|
|
- [[authentik]] — SSO/OIDC provider for all web services
|
|
- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)
|
|
|
|
## Network & TLS
|
|
|
|
- [[caddy]] — TLS termination for `*.ops.eblu.me` services
|
|
- [[flyio-proxy]] — public ingress via Fly.io tunnel
|
|
- Tailscale — zero-trust mesh networking across all nodes
|
|
|
|
## Secrets management
|
|
|
|
- [[1password]] — root credential store
|
|
- [[external-secrets]] — Kubernetes secrets synced from 1Password
|
|
|
|
## Reports
|
|
|
|
All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation.
|
|
|
|
Suppressed findings are kept in Prowler mutelist YAML under `argocd/manifests/prowler/mutelist/`. Each entry's `Description` field explains why the finding is muted; entries are reviewed ad-hoc rather than on a scheduled cadence.
|
|
|
|
## Known gaps
|
|
|
|
- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
|
|
- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
|
|
- No container-image CVE scanning (the Prowler image scan was retired 2026-06 as un-actioned noise). If reintroduced, scope it to critical-severity, currently-deployed tags, alert-on-new
|
|
- No automated IaC misconfiguration scanning (the Prowler IaC scan was retired 2026-06). Manifest pod-security hardening is now an accept-and-document decision rather than a weekly report
|