Erich Blume 9053ce5955 Add security reference card and compliance report how-to

Split report-reading guidance out of deploy-prowler into its own
how-to (read-compliance-reports). Add security & compliance
reference card (reference/operations/security) following the
pattern of the observability card.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-24 16:05:17 -07:00

1.8 KiB

Raw Blame History

title

modified

last-reviewed

Security & Compliance

Security posture and compliance scanning for BlumeOps infrastructure.

Compliance frameworks

Framework	Tool	Cluster	Notes
CIS Kubernetes Benchmark v1.11	prowler	minikube-indri	Weekly CronJob, ~82 checks
PCI DSS v4.0 (K8s mapping)	prowler	minikube-indri	Reuses CIS checks mapped to PCI requirements
ISO 27001:2022 (K8s mapping)	prowler	minikube-indri	Partial — 22 of 92 controls mapped

Scanning tools

prowler — CIS Kubernetes Benchmark scanner (weekly CronJob)
- deploy-prowler — deployment and ad-hoc scan how-to
- read-compliance-reports — accessing and interpreting reports

Identity & access

authentik — SSO/OIDC provider for all web services
RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)

Network & TLS

caddy — TLS termination for *.ops.eblu.me services
flyio-proxy — public ingress via Fly.io tunnel
Tailscale — zero-trust mesh networking across all nodes

Secrets management

1password — root credential store
external-secrets — Kubernetes secrets synced from 1Password

Reports

All compliance scan reports are stored on sifaka:/volume1/reports/. See read-compliance-reports for access and interpretation.

Known gaps

No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
No container image vulnerability scanning yet (Prowler has an image provider)
No IaC scanning of manifests/Dockerfiles yet (Prowler has an iac provider using Trivy)

1.8 KiB Raw Blame History