Erich Blume
495e45d01d
## Summary The weekly Prowler IaC scan reported 6 critical findings against `argocd/manifests/`. They split cleanly into two patterns: - **Legitimate-by-design RBAC → mute with new compensating controls** - `external-secrets-controller`, `external-secrets-cert-controller` manage `secrets` (KSV-0041) and the cert-controller mutates its own webhook configurations (KSV-0114). This is what the operator is *for*. New CC: `operator-purpose-bound-rbac`. - `kube-state-metrics` (both `minikube-indri` and `k3s-ringtail`) holds `list/watch` on secrets to expose `kube_secret_info` and `kube_secret_labels` metrics. KSM's metric schema only reads metadata, never the `data:` field. New CC: `kube-state-metrics-metadata-only`. - **Over-broad RBAC → fix** - `grafana-clusterrole` had `get/watch/list` on `secrets` because the dashboard-sidecar config used `RESOURCE=both` (ConfigMaps + Secrets). Nothing in the cluster labels Secrets with `grafana_dashboard=1`, so this was unused power. Switched both sidecar instances to `RESOURCE=configmap` and removed `secrets` from the ClusterRole. The IaC cronjob also did not previously pass `--mutelist-file`, which is why every IaC finding reported as unmuted regardless of mutelist configuration. The new `mutelist/iac.yaml` is bundled into the existing `prowler-mutelist` ConfigMap and mounted via `items:` selector. ## Test plan - [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/prowler/` — already passes locally - [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/grafana/` — already passes locally - [ ] Deploy from this branch via `argocd app set prowler --revision prowler-iac-mutelist && argocd app sync prowler` and same for `grafana` - [ ] Manually trigger the IaC cronjob and verify `MUTED=True` on the 6 critical findings (`kubectl --context=minikube-indri -n prowler create job --from=cronjob/prowler-iac-scan prowler-iac-test`) - [ ] Restart grafana pod and confirm dashboards still render (sidecar still finds them via ConfigMap watch) - [ ] After verify, `argocd app set <app> --revision main && argocd app sync <app>` post-merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #340
39 lines
1.8 KiB
YAML
39 lines
1.8 KiB
YAML
# Trivy ignorefile for Prowler IaC scan.
|
|
#
|
|
# Prowler's `--mutelist-file` flag is a no-op for the IaC provider
|
|
# (iac_provider.py sets self._mutelist = None and delegates to Trivy).
|
|
# Trivy in turn does not auto-discover this YAML form from cwd, so the
|
|
# Prowler image ships a shim wrapper around `trivy` that injects
|
|
# --ignorefile $TRIVY_IGNOREFILE when the env var is set. The cronjob
|
|
# mounts this file and sets TRIVY_IGNOREFILE accordingly.
|
|
#
|
|
# Schema: https://trivy.dev/latest/docs/configuration/filtering/
|
|
# IDs use the hyphenated form Trivy displays (KSV-0041, not KSV0041).
|
|
misconfigurations:
|
|
- id: KSV-0041
|
|
paths:
|
|
- "argocd/manifests/external-secrets/rbac.yaml"
|
|
statement: >-
|
|
CC: operator-purpose-bound-rbac. external-secrets-operator's entire
|
|
function is to read and synthesize Secret objects; ClusterRole over
|
|
secrets is its purpose. Both the controller and cert-controller are
|
|
upstream-defined.
|
|
- id: KSV-0041
|
|
paths:
|
|
- "argocd/manifests/kube-state-metrics/rbac.yaml"
|
|
- "argocd/manifests/kube-state-metrics-ringtail/rbac.yaml"
|
|
statement: >-
|
|
CC: kube-state-metrics-metadata-only. KSM exposes only Secret
|
|
metadata (name, namespace, type, labels), never the data field.
|
|
list/watch on secrets is required for kube_secret_info /
|
|
kube_secret_labels metrics.
|
|
- id: KSV-0114
|
|
paths:
|
|
- "argocd/manifests/external-secrets/rbac.yaml"
|
|
statement: >-
|
|
CC: operator-purpose-bound-rbac. cert-controller manages the
|
|
external-secrets validating webhook configurations to inject its
|
|
own rotating CA bundle. RBAC is scoped to two named webhooks
|
|
(secretstore-validate, externalsecret-validate) via resourceNames;
|
|
KSV-0114 doesn't see the resourceNames restriction so reports the
|
|
full ClusterRole.
|