Erich Blume
d021b3534f
## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #310
55 lines
1.6 KiB
YAML
55 lines
1.6 KiB
YAML
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: prowler
|
|
namespace: prowler
|
|
spec:
|
|
schedule: "0 3 * * 0" # Sunday 3am
|
|
concurrencyPolicy: Forbid
|
|
jobTemplate:
|
|
spec:
|
|
ttlSecondsAfterFinished: 604800 # Auto-delete after 7 days
|
|
template:
|
|
spec:
|
|
serviceAccountName: prowler
|
|
containers:
|
|
- name: prowler
|
|
image: registry.ops.eblu.me/blumeops/prowler:kustomized
|
|
args:
|
|
- kubernetes
|
|
- --compliance
|
|
- cis_1.11_kubernetes
|
|
- -z
|
|
- --output-formats
|
|
- html
|
|
- csv
|
|
- json-ocsf
|
|
- --output-directory
|
|
- /reports/prowler
|
|
volumeMounts:
|
|
- name: reports
|
|
mountPath: /reports
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
- name: var-lib-etcd
|
|
mountPath: /var/lib/etcd
|
|
readOnly: true
|
|
hostPID: true
|
|
restartPolicy: OnFailure
|
|
volumes:
|
|
- name: reports
|
|
persistentVolumeClaim:
|
|
claimName: prowler-reports
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: /var/lib/kubelet
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: /etc/kubernetes
|
|
- name: var-lib-etcd
|
|
hostPath:
|
|
path: /var/lib/etcd
|