Erich Blume
0510a8151c
Six critical IaC findings against argocd/manifests/ broke into two
patterns: legitimate-by-design RBAC (mute) and over-broad RBAC (fix).
Plumbing:
- cronjob-iac-scan.yaml now passes --mutelist-file (previously
unused, which is why all IaC findings reported as unmuted)
- new mutelist/iac.yaml is bundled into the prowler-mutelist
ConfigMap and mounted into the IaC cronjob via items: selector
Compensating controls (in compensating-controls.yaml):
- operator-purpose-bound-rbac — external-secrets-operator's whole
function is to manage Secret objects; ClusterRole over secrets
matches its purpose. cert-controller mutates its own validating
webhooks to inject a rotating CA bundle.
- kube-state-metrics-metadata-only — KSM exposes only Secret
metadata via kube_secret_info / kube_secret_labels; the data
field is never read into exposed metrics.
Mutes (mutelist/iac.yaml):
- KSV-0041 for external-secrets/rbac.yaml,
kube-state-metrics/rbac.yaml,
kube-state-metrics-ringtail/rbac.yaml
- KSV-0114 for external-secrets/rbac.yaml
Real fix:
- grafana-clusterrole no longer reads secrets. The dashboard sidecar
(RESOURCE=both → configmap, both init and watch instances) only
needs ConfigMap-labeled dashboards; no Secrets are labeled
grafana_dashboard.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
40 lines
2 KiB
YAML
40 lines
2 KiB
YAML
# IaC scan mutes — Trivy KSV checks against argocd/manifests/.
|
|
#
|
|
# Check ID format: "KSV-XXXX" (Trivy Kubernetes Security check IDs).
|
|
# Region / Resource semantics for Prowler IaC: Region == repo path,
|
|
# Resource == manifest file path (relative to repo root).
|
|
Mutelist:
|
|
Accounts:
|
|
"*":
|
|
Checks:
|
|
"KSV-0041":
|
|
# Mutelist entries under one CHECK_ID share a Resources list.
|
|
# Each resource here justifies muting under a distinct CC; see
|
|
# the per-resource notes below.
|
|
Regions: ["*"]
|
|
Resources:
|
|
# CC: operator-purpose-bound-rbac. external-secrets-operator's
|
|
# entire function is to read and synthesize Secret objects;
|
|
# ClusterRole over secrets is its purpose. Both the controller
|
|
# and cert-controller are upstream-defined.
|
|
- "argocd/manifests/external-secrets/rbac.yaml"
|
|
# CC: kube-state-metrics-metadata-only. KSM exposes only
|
|
# Secret metadata (name, namespace, type, labels), never the
|
|
# data field. list/watch on secrets is required to expose
|
|
# kube_secret_info and kube_secret_labels.
|
|
- "argocd/manifests/kube-state-metrics/rbac.yaml"
|
|
- "argocd/manifests/kube-state-metrics-ringtail/rbac.yaml"
|
|
Description: >-
|
|
CC: operator-purpose-bound-rbac (external-secrets);
|
|
kube-state-metrics-metadata-only (kube-state-metrics).
|
|
"KSV-0114":
|
|
Regions: ["*"]
|
|
Resources:
|
|
- "argocd/manifests/external-secrets/rbac.yaml"
|
|
Description: >-
|
|
CC: operator-purpose-bound-rbac. cert-controller manages the
|
|
external-secrets validating webhook configurations to inject
|
|
its own rotating CA bundle. RBAC is scoped to two named
|
|
webhooks (secretstore-validate, externalsecret-validate) via
|
|
resourceNames; KSV-0114 doesn't see the resourceNames
|
|
restriction so reports the full ClusterRole.
|