Erich Blume
3e2c481034
Strips the "CC: <id>." prefix from every Description field in the Prowler mutelist YAML files (and the statement field in trivyignore). Each entry's free-form description now stands on its own. Deletes compensating-controls.yaml (the CC registry) and the review-compensating-controls mise task. Updates review-compliance-reports to drop CC references from docstrings, panel text, and table titles. Node verification logic is unchanged.
53 lines
2.5 KiB
YAML
53 lines
2.5 KiB
YAML
# Minikube apiserver — flags managed by static pod manifests.
|
|
Mutelist:
|
|
Accounts:
|
|
"*":
|
|
Checks:
|
|
"apiserver_always_pull_images_plugin":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Only the operator has cluster access; all images pulled from private zot registry."
|
|
"apiserver_audit_log_maxage_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
|
"apiserver_audit_log_maxbackup_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
|
"apiserver_audit_log_maxsize_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
|
"apiserver_audit_log_path_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Alloy/Loki provides pod-level audit trail."
|
|
"apiserver_deny_service_external_ips":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "No external IPs routable; cluster only reachable via tailnet."
|
|
"apiserver_disable_profiling":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Profiling endpoint unreachable from public internet."
|
|
"apiserver_encryption_provider_config_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Etcd not network-exposed; only operator has node access."
|
|
"apiserver_kubelet_cert_auth":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Kubelet API not exposed outside the node; minikube auto-generates certificates."
|
|
"apiserver_request_timeout_set":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "API server only reachable via tailnet; DoS risk limited to trusted clients."
|
|
"apiserver_service_account_lookup_true":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "Only operator manages service accounts; no revoked tokens in circulation."
|
|
"apiserver_strong_ciphers_only":
|
|
Regions: ["*"]
|
|
Resources: ["^kube-apiserver-minikube$"]
|
|
Description: "API server traffic encrypted by WireGuard at the network layer."
|