blumeops

History

Erich Blume 495e45d01d Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340 ) ## Summary The weekly Prowler IaC scan reported 6 critical findings against `argocd/manifests/`. They split cleanly into two patterns: - Legitimate-by-design RBAC → mute with new compensating controls - `external-secrets-controller`, `external-secrets-cert-controller` manage `secrets` (KSV-0041) and the cert-controller mutates its own webhook configurations (KSV-0114). This is what the operator is for. New CC: `operator-purpose-bound-rbac`. - `kube-state-metrics` (both `minikube-indri` and `k3s-ringtail`) holds `list/watch` on secrets to expose `kube_secret_info` and `kube_secret_labels` metrics. KSM's metric schema only reads metadata, never the `data:` field. New CC: `kube-state-metrics-metadata-only`. - Over-broad RBAC → fix - `grafana-clusterrole` had `get/watch/list` on `secrets` because the dashboard-sidecar config used `RESOURCE=both` (ConfigMaps + Secrets). Nothing in the cluster labels Secrets with `grafana_dashboard=1`, so this was unused power. Switched both sidecar instances to `RESOURCE=configmap` and removed `secrets` from the ClusterRole. The IaC cronjob also did not previously pass `--mutelist-file`, which is why every IaC finding reported as unmuted regardless of mutelist configuration. The new `mutelist/iac.yaml` is bundled into the existing `prowler-mutelist` ConfigMap and mounted via `items:` selector. ## Test plan - [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/prowler/` — already passes locally - [ ] `kubectl --context=minikube-indri kustomize argocd/manifests/grafana/` — already passes locally - [ ] Deploy from this branch via `argocd app set prowler --revision prowler-iac-mutelist && argocd app sync prowler` and same for `grafana` - [ ] Manually trigger the IaC cronjob and verify `MUTED=True` on the 6 critical findings (`kubectl --context=minikube-indri -n prowler create job --from=cronjob/prowler-iac-scan prowler-iac-test`) - [ ] Restart grafana pod and confirm dashboards still render (sidecar still finds them via ConfigMap watch) - [ ] After verify, `argocd app set <app> --revision main && argocd app sync <app>` post-merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #340		2026-04-29 10:43:32 -07:00
..
alloy
authentik	Upgrade authentik 2026.2.0 → 2026.2.2 (patch release)	2026-04-08 10:53:03 -07:00
authentik-redis
cv
devpi	Migrate devpi to Dagger build and bump to 6.19.3	2026-04-18 07:57:05 -07:00
forgejo-runner	Upgrade forgejo-runner to v12.8, adopt server.connections, and clean up docs (#338 )	2026-04-20 09:03:54 -07:00
frigate-notify	fix(frigate-notify): set WorkingDir=/app and create writable /app	2026-04-21 09:43:00 -07:00
grafana	Upgrade Grafana 12.3.3 → 12.4.2 (#322 )	2026-04-02 11:33:19 -07:00
grafana-sidecar	Upgrade grafana-sidecar 1.28.0 → 2.6.0 + container.py port (#332 )	2026-04-13 07:57:13 -07:00
homepage
kingfisher
kiwix-serve	Migrate kiwix-serve container from Dockerfile to native Dagger build	2026-04-17 13:56:32 -07:00
kube-state-metrics	Localize kube-state-metrics container (Dockerfile + nix) (#327 )	2026-04-07 16:09:25 -07:00
kubectl
loki
mealie
miniflux	Refactor Dagger go_build() helper and standardize Alpine 3.23	2026-04-16 10:10:46 -07:00
navidrome	Native Dagger container builds + Navidrome v0.61.1 (#330 )	2026-04-11 17:11:56 -07:00
ntfy
paperless	Deploy Paperless-ngx document management (#328 )	2026-04-08 17:54:12 -07:00
prometheus
prowler	Address 6 critical Prowler IaC findings (mute + grafana RBAC tighten) (#340 )	2026-04-29 10:43:32 -07:00
quartz
runner-job-image	Bump Dagger to 0.20.6 and migrate runner-job-image to Alpine container.py	2026-04-21 08:28:18 -07:00
tempo	Build Tempo container from source (2.10.3) (#323 )	2026-04-02 13:45:02 -07:00
teslamate	Migrate teslamate to native Dagger container.py (#333 )	2026-04-14 07:20:52 -07:00
transmission	Migrate transmission containers from Dockerfile to Dagger builds	2026-04-15 11:26:00 -07:00
transmission-exporter	Migrate transmission containers from Dockerfile to Dagger builds	2026-04-15 11:26:00 -07:00
unpoller