eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests
History
Erich Blume be30668eef Automate Prowler MANUAL finding verification (#335) 
## Summary
- Adds automated node-level verification to `review-compliance-reports`: kubelet file perms/ownership, kubelet config args, etcd CA separation, RBAC cluster-admin bindings
- Mutes the 14 MANUAL Prowler findings via new `manual-node-checks.yaml` mutelist file
- New `node-config-automated-verification` compensating control documents the approach
- Script fails loudly (red FAIL + verdict panel) if any check deviates from expected values

## Test plan
- [x] `mise run review-compliance-reports` — all 12 node checks PASS
- [x] Injected bad expected value (perms 400 vs actual 600) — FAIL rendered correctly
- [x] Fixed colon-in-binding-name bug (kubeadm:cluster-admins) with tab-separated jsonpath
- [ ] After merge: sync prowler mutelist ConfigMap and verify next scan shows 0 MANUAL findings

## Note
Prowler coverage is minikube-indri only — ringtail/k3s is a known gap tracked separately.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #335
2026-04-14 13:00:44 -07:00
..
1password-connect Migrate 1Password Connect from Helm to kustomize (1.8.1 → 1.8.2) (#326) 2026-04-06 07:31:40 -07:00
alloy-k8s Add seccomp RuntimeDefault profiles to alloy-k8s and immich pods 2026-04-06 10:21:23 -07:00
alloy-ringtail Deploy Tor Snowflake proxy on ringtail (#311) 2026-03-24 20:51:40 -07:00
alloy-tracing-ringtail Update container tags to fd0bebb (post-merge rebuild) 2026-03-24 13:39:26 -07:00
argocd Upgrade ArgoCD v3.3.2 → v3.3.6, SHA-pin install manifest 2026-04-07 08:21:11 -07:00
authentik Deploy Paperless-ngx document management (#328) 2026-04-08 17:54:12 -07:00
cloudnative-pg Port CloudNative-PG off Helm to direct release manifest (#268) 2026-02-25 17:37:53 -08:00
cv Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
databases Deploy Paperless-ngx document management (#328) 2026-04-08 17:54:12 -07:00
devpi Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
docs Update docs release to v1.15.6 2026-04-14 11:46:42 -07:00
external-secrets Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312) 2026-03-25 15:56:41 -07:00
forgejo-runner Update forgejo-runner kustomization tag to main-branch image 2026-04-14 11:10:36 -07:00
frigate Fix Frigate preview config and services-check NoData detection 2026-04-08 11:12:42 -07:00
grafana Update grafana-sidecar image tag to v2.6.0-61fcd5d (merge build) 2026-04-13 08:02:39 -07:00
grafana-config Add offsite backup for immich photo library to BorgBase (#315) 2026-03-27 19:43:05 -07:00
homepage Deploy Homepage v1.11.0-e375859 2026-03-26 10:25:07 -07:00
immich Add seccomp RuntimeDefault profiles to alloy-k8s and immich pods 2026-04-06 10:21:23 -07:00
kingfisher Add compensating controls framework and date-based report dirs (#320) 2026-03-30 17:44:11 -07:00
kiwix Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
kube-state-metrics Pin kube-state-metrics to main-SHA container tags 2026-04-07 16:10:14 -07:00
kube-state-metrics-ringtail Pin kube-state-metrics to main-SHA container tags 2026-04-07 16:10:14 -07:00
loki Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
mealie Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
miniflux Update miniflux to main image tag, disable OTEL metrics in Dagger module 2026-04-12 08:59:32 -07:00
navidrome Disable OTLP metrics exporter in CI, update navidrome to main tag 2026-04-11 17:26:25 -07:00
ntfy Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
nvidia-device-plugin Upgrade nvidia-device-plugin v0.18.2 → v0.19.0 and add reference card 2026-03-27 07:19:24 -07:00
ollama Upgrade ollama from 0.17.5 to 0.20.4 2026-04-09 06:42:05 -07:00
paperless Fix paperless redis: use upstream valkey instead of amd64-only nix image 2026-04-13 17:48:20 -07:00
prometheus Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
prowler Automate Prowler MANUAL finding verification (#335) 2026-04-14 13:00:44 -07:00
tailscale-operator Expose Forgejo publicly at forge.eblu.me (#278) 2026-03-03 08:40:41 -08:00
tailscale-operator-base Revert Tailscale operator to v1.94.2 — images not yet published 2026-03-22 19:41:40 -07:00
tailscale-operator-ringtail Deploy Tailscale operator on ringtail k3s cluster (#215) 2026-02-19 09:33:05 -08:00
tempo Point Tempo at main-built container v2.10.3-75f9ba4 2026-04-02 13:45:57 -07:00
teslamate Document devpi cold cache failure mode and deploy teslamate v3.0.0-08c698e 2026-04-14 07:38:06 -07:00
torrent Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00
unpoller Add RuntimeDefault seccomp profiles to all managed workloads 2026-03-24 16:19:40 -07:00