blumeops/argocd/manifests/prowler/mutelist/manual-node-checks.yaml

# Node-level and RBAC checks that Prowler reports as MANUAL because it
# cannot evaluate them from inside a pod. Compensated by automated
# verification in `mise run review-compliance-reports`, which SSHes into
# the minikube node and checks each condition directly every week.
Mutelist:
  Accounts:
    "*":
      Checks:
        "etcd_unique_ca":
          Regions: ["*"]
          Resources: ["^etcd-minikube$"]
          Description: "CC: node-config-automated-verification. Etcd CA fingerprint verified different from cluster CA by review-compliance-reports."
        "kubelet_conf_file_ownership":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File ownership verified root:root by review-compliance-reports."
        "kubelet_conf_file_permissions":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File permissions verified 600 by review-compliance-reports."
        "kubelet_config_yaml_ownership":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File ownership verified root:root by review-compliance-reports."
        "kubelet_config_yaml_permissions":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File permissions verified 644 by review-compliance-reports."
        "kubelet_service_file_ownership_root":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File ownership verified root:root by review-compliance-reports."
        "kubelet_service_file_permissions":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. File permissions verified 644 by review-compliance-reports."
        "kubelet_disable_read_only_port":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. readOnlyPort absence (defaults to 0) verified by review-compliance-reports."
        "kubelet_event_record_qps":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. eventRecordQPS absence (defaults to 5) verified by review-compliance-reports."
        "kubelet_manage_iptables":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification. makeIPTablesUtilChains absence (defaults to true) verified by review-compliance-reports."
        "kubelet_strong_ciphers_only":
          Regions: ["*"]
          Resources: ["^kubelet-config$"]
          Description: "CC: node-config-automated-verification, tailscale-network-isolation. Go default ciphers used; all traffic WireGuard-encrypted via tailnet."
        "rbac_cluster_admin_usage":
          Regions: ["*"]
          Resources:
            - "^cluster-admin$"
            - "^kubeadm:cluster-admins$"
            - "^minikube-rbac$"
          Description: "CC: node-config-automated-verification, single-user-cluster. Only built-in/minikube cluster-admin bindings present; verified by review-compliance-reports."