eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/operations/security.md
Erich Blume 1c41cca903 Retire Prowler image + IaC scans (keep K8s CIS only) (#372) 
## Why

Weekly compliance review (2026-06-07) surfaced the toil problem head-on:

| Report | Unmuted findings | Muted | Acted on |
|--------|------------------|-------|----------|
| **K8s CIS (In-Cluster)** | 0 | 65 | clean  |
| **Container Images** | 20,005 (+713 WoW) | 0 | never |
| **IaC (manifests)** | 654 (+31/−30 WoW) | 0 | never |

The image and IaC scans generate tens of thousands of un-actioned, un-muted findings every week:

- **Image scan** — overwhelmingly unpatchable *upstream* base-image CVEs, and it re-scans every historical tag still in the registry (2× paperless, 3× mealie, 4× prowler tags in the latest report), multiplying the count.
- **IaC scan** — systemic Trivy KSV pod-security warnings against our own manifests; real but homelab-acceptable, never muted, so re-surfaced indefinitely.

The K8s CIS scan is the only one with realized value (fully mutelisted, 0 unmuted WoW) and is retained. Matches the broader scaling-back of the reporting system as minikube heads toward retirement.

## Changes

- Delete `cronjob-image-scan.yaml` and `cronjob-iac-scan.yaml` + remove from kustomization
- Drop the now-unused `mutelist/trivyignore.yaml` (only the IaC scan consumed it)
- `review-compliance-reports`: drop the two retired scans (and the grouped-findings rendering that existed solely for them)
- Docs: deploy-prowler (new 'Why only the K8s CIS scan' section), read-compliance-reports, security reference, prowler reference

## Deploy (after review)

```fish
argocd app set prowler --revision retire-prowler-image-iac-scans
argocd app sync prowler   # prune removes the two CronJobs
# after merge: argocd app set prowler --revision main && argocd app sync prowler
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #372
2026-06-08 09:30:09 -07:00

2.5 KiB
Raw Blame History

title modified last-reviewed tags
Security & Compliance 2026-06-08 2026-03-24
operations
security

Security & Compliance

Security posture and compliance scanning for BlumeOps infrastructure.

Compliance frameworks

Framework Tool Cluster Notes
CIS Kubernetes Benchmark v1.11 prowler minikube-indri Weekly CronJob, ~82 checks
PCI DSS v4.0 (K8s mapping) prowler minikube-indri Reuses CIS checks mapped to PCI requirements
ISO 27001:2022 (K8s mapping) prowler minikube-indri Partial — 22 of 92 controls mapped

Scanning tools

Identity & access

  • authentik — SSO/OIDC provider for all web services
  • RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)

Network & TLS

  • caddy — TLS termination for *.ops.eblu.me services
  • flyio-proxy — public ingress via Fly.io tunnel
  • Tailscale — zero-trust mesh networking across all nodes

Secrets management

Reports

All compliance scan reports are stored on sifaka:/volume1/reports/. See read-compliance-reports for access and interpretation.

Suppressed findings are kept in Prowler mutelist YAML under argocd/manifests/prowler/mutelist/. Each entry's Description field explains why the finding is muted; entries are reviewed ad-hoc rather than on a scheduled cadence.

Known gaps

  • No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
  • k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
  • No container-image CVE scanning (the Prowler image scan was retired 2026-06 as un-actioned noise). If reintroduced, scope it to critical-severity, currently-deployed tags, alert-on-new
  • No automated IaC misconfiguration scanning (the Prowler IaC scan was retired 2026-06). Manifest pod-security hardening is now an accept-and-document decision rather than a weekly report