Erich Blume
1c41cca903
## Why Weekly compliance review (2026-06-07) surfaced the toil problem head-on: | Report | Unmuted findings | Muted | Acted on | |--------|------------------|-------|----------| | **K8s CIS (In-Cluster)** | 0 | 65 | clean ✅ | | **Container Images** | 20,005 (+713 WoW) | 0 | never | | **IaC (manifests)** | 654 (+31/−30 WoW) | 0 | never | The image and IaC scans generate tens of thousands of un-actioned, un-muted findings every week: - **Image scan** — overwhelmingly unpatchable *upstream* base-image CVEs, and it re-scans every historical tag still in the registry (2× paperless, 3× mealie, 4× prowler tags in the latest report), multiplying the count. - **IaC scan** — systemic Trivy KSV pod-security warnings against our own manifests; real but homelab-acceptable, never muted, so re-surfaced indefinitely. The K8s CIS scan is the only one with realized value (fully mutelisted, 0 unmuted WoW) and is retained. Matches the broader scaling-back of the reporting system as minikube heads toward retirement. ## Changes - Delete `cronjob-image-scan.yaml` and `cronjob-iac-scan.yaml` + remove from kustomization - Drop the now-unused `mutelist/trivyignore.yaml` (only the IaC scan consumed it) - `review-compliance-reports`: drop the two retired scans (and the grouped-findings rendering that existed solely for them) - Docs: deploy-prowler (new 'Why only the K8s CIS scan' section), read-compliance-reports, security reference, prowler reference ## Deploy (after review) ```fish argocd app set prowler --revision retire-prowler-image-iac-scans argocd app sync prowler # prune removes the two CronJobs # after merge: argocd app set prowler --revision main && argocd app sync prowler ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #372
1.2 KiB
1.2 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| Prowler | 2026-06-08 | 2026-03-24 |
|
Prowler
CIS Kubernetes Benchmark scanner for compliance posture reporting.
Quick Reference
| Property | Value |
|---|---|
| Namespace | prowler |
| Image | registry.ops.eblu.me/blumeops/prowler (see argocd/manifests/prowler/kustomization.yaml for current tag) |
| Schedule | K8s CIS: Sunday 3am |
| Reports | sifaka:/volume1/reports/prowler/ (NFS) |
| Manifests | argocd/manifests/prowler/ |
What it does
Runs Prowler 5 as a single CronJob:
- K8s CIS scan (Sunday) — CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler
Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.
The image and IaC scans (formerly Saturday CronJobs) were retired in 2026-06 — they generated tens of thousands of un-actioned findings weekly. See deploy-prowler#Why only the K8s CIS scan.
See also
- security — security & compliance posture overview
- deploy-prowler — deployment how-to, ad-hoc scan instructions, check relevance notes
- read-compliance-reports — how to access and interpret reports