blumeops/docs/how-to/operations/deploy-prowler.md

---
title: Deploy Prowler CIS Scanner
modified: 2026-03-24
last-reviewed: 2026-03-24
tags:
  - how-to
  - kubernetes
  - security
  - compliance
---

# Deploy Prowler CIS Scanner

Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka.

## What it checks

### Kubernetes CIS benchmarks (Sunday 3am)

Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into:

| Category | Checks | How it works |
|----------|--------|-------------|
| **Core (pod security)** | 13 | Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp |
| **RBAC** | 9 | Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings |
| **Apiserver** | 29 | Inspects `kube-apiserver` pod args in kube-system (TLS, auth, audit, admission plugins) |
| **Etcd** | 7 | Inspects `etcd` pod args (TLS, cert auth) |
| **Controller Manager** | 7 | Inspects `kube-controller-manager` pod args |
| **Kubelet** | 16 | Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID) |
| **Scheduler** | 2 | Inspects `kube-scheduler` pod args |

**Minikube relevance:** Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this).

**k3s note:** k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider `kube-bench` for k3s control plane checks.

### Image vulnerability scanning (Saturday 3am)

Prowler's image provider scans all `blumeops/*` container images in `registry.ops.eblu.me` for:

- **CVEs** — known vulnerabilities from NVD, Alpine SecDB, Debian Security Tracker, and other sources
- **Embedded secrets** — credentials or API keys baked into image layers
- **Misconfigurations** — Dockerfile best practices (running as root, missing HEALTHCHECK, etc.)

Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-images/`.

To run an ad-hoc image scan:

```fish
kubectl create job --from=cronjob/prowler-image-scan prowler-image-manual -n prowler --context=minikube-indri
```

### IaC scanning (Saturday 2am)

Prowler's IaC provider scans the blumeops repository (cloned at scan time) for misconfigurations in:

- **Dockerfiles** — running as root, using `latest` tags, missing `HEALTHCHECK`
- **Kubernetes manifests** — missing resource limits, privileged containers, insecure settings
- **Other IaC files** — Terraform, CloudFormation, etc. if present

Uses Trivy under the hood. Reports are written to `sifaka:/volume1/reports/prowler-iac/`.

To run an ad-hoc IaC scan:

```fish
kubectl create job --from=cronjob/prowler-iac-scan prowler-iac-manual -n prowler --context=minikube-indri
```

## Reports

Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them.

## Running an ad-hoc scan

```fish
kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri
```

Watch progress:

```fish
kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri
```

## Container

Custom slim build at `containers/prowler/Dockerfile` — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See [[build-container-image]] for the build/release process.

Source is mirrored at `forge.ops.eblu.me/mirrors/prowler`.

## See also

- [[security]] — security & compliance posture overview
- [[read-compliance-reports]] — how to access and interpret scan reports
- [[deploy-k8s-service]] — general K8s deployment how-to
- [[build-container-image]] — container build pipeline