Erich Blume
4059b3d27b
## Summary - Add `compensating-controls.yaml` tracking 9 named controls that justify suppressed security findings - Update all Prowler mutelist descriptions with `CC: <id>` references to named controls - Add `mise run review-compensating-controls` task — surfaces stalest control with all codebase references - Add [[review-compensating-controls]] how-to doc - Organize Prowler and Kingfisher reports into `YYYY-MM-DD` subdirectories ### Compensating controls | ID | Mitigates | |----|-----------| | `single-user-cluster` | Image cache abuse, RBAC breadth, system pod privileges | | `tailscale-network-isolation` | Profiling endpoints, weak TLS, debug ports | | `local-registry` | AlwaysPullImages gap | | `sso-gated-admin-tools` | ArgoCD wildcard RBAC | | `operator-managed-pods` | Tailscale proxy pod security settings | | `ephemeral-privileged-jobs` | Prowler hostPID exposure | | `trusted-ci-only` | Forgejo runner DinD | | `init-container-isolation` | Grafana root init container | | `observability-stack-audit` | Missing apiserver audit logging | ## Test plan - [ ] `mise run review-compensating-controls` shows table and references - [ ] `kubectl kustomize argocd/manifests/prowler/` renders correctly - [ ] Sync prowler and kingfisher, verify next scan writes to dated subdirectory - [ ] Grep for `CC:` in mutelist files — every muted finding should have at least one 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #320
39 lines
1.4 KiB
YAML
39 lines
1.4 KiB
YAML
# RBAC checks — built-in Kubernetes roles and operator roles that require
|
|
# broad permissions by design.
|
|
Mutelist:
|
|
Accounts:
|
|
"*":
|
|
Checks:
|
|
"rbac_minimize_wildcard_use_roles":
|
|
Regions: ["*"]
|
|
Resources:
|
|
# Built-in Kubernetes roles
|
|
- "^cluster-admin$"
|
|
- "^system:"
|
|
# ArgoCD
|
|
- "^argocd-"
|
|
Description: >-
|
|
CC: single-user-cluster, sso-gated-admin-tools. Built-in
|
|
K8s roles: only operator can bind them. ArgoCD: requires
|
|
broad access but is SSO-gated via Authentik OIDC.
|
|
"rbac_minimize_pod_creation_access":
|
|
Regions: ["*"]
|
|
Resources:
|
|
# Built-in Kubernetes roles
|
|
- "^admin$"
|
|
- "^edit$"
|
|
- "^system:"
|
|
# CloudNativePG operator
|
|
- "^cnpg-manager$"
|
|
Description: >-
|
|
CC: single-user-cluster. Built-in K8s roles and CNPG
|
|
operator. Only the operator can assign these roles; no
|
|
untrusted users have cluster access.
|
|
"rbac_minimize_service_account_token_creation":
|
|
Regions: ["*"]
|
|
Resources:
|
|
- "^system:"
|
|
Description: >-
|
|
CC: single-user-cluster. kube-controller-manager requires
|
|
token creation for SA management. Only operator manages
|
|
service accounts.
|