Erich Blume
d021b3534f
## Summary - Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning - Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream) - Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/` - Read-only ClusterRole for pod, RBAC, and control plane inspection - Host path mounts + hostPID for kubelet file permission checks ## Follow-ups - Mirror prowler-cloud/prowler on forge for supply chain control - Build and push container image, update kustomization.yaml newTag - Consider adding k3s-ringtail scanning (core + RBAC checks only) ## Test plan - [ ] Build container: `mise run container-release prowler v5.22.0` - [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag - [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler` - [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri` - [ ] Verify reports appear on sifaka NFS share - [ ] `mise run services-check` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #310
2.4 KiB
| title | modified | last-reviewed | tags | ||||
|---|---|---|---|---|---|---|---|
| Deploy Prowler CIS Scanner | 2026-03-24 | 2026-03-24 |
|
Deploy Prowler CIS Scanner
Prowler runs weekly CIS Kubernetes Benchmark scans against minikube-indri and writes HTML/CSV/JSON reports to the NFS share on sifaka.
What it checks
Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark v1.11, grouped into:
| Category | Checks | How it works |
|---|---|---|
| Core (pod security) | 13 | Queries K8s API for privileged containers, hostPID/hostNetwork, capabilities, secrets in env vars, seccomp |
| RBAC | 9 | Queries RBAC API for overprivileged roles, wildcard access, cluster-admin bindings |
| Apiserver | 29 | Inspects kube-apiserver pod args in kube-system (TLS, auth, audit, admission plugins) |
| Etcd | 7 | Inspects etcd pod args (TLS, cert auth) |
| Controller Manager | 7 | Inspects kube-controller-manager pod args |
| Kubelet | 16 | Reads kubelet-config ConfigMap + node file permissions (file checks need hostPID) |
| Scheduler | 2 | Inspects kube-scheduler pod args |
Minikube relevance: Most checks work because minikube runs control plane as static pods. Kubelet file permission checks return MANUAL unless Prowler runs on the node (we mount host paths to enable this).
k3s note: k3s embeds the control plane in a single binary — no static pods exist. Only core + RBAC checks (~22 of 70) produce results. Consider kube-bench for k3s control plane checks.
Reports
Reports are written to sifaka:/volume1/reports/prowler/ with timestamped filenames. See read-compliance-reports for how to access and interpret them.
Running an ad-hoc scan
kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri
Watch progress:
kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri
Container
Custom slim build at containers/prowler/Dockerfile — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See build-container-image for the build/release process.
Source is mirrored at forge.ops.eblu.me/mirrors/prowler.
See also
- security — security & compliance posture overview
- read-compliance-reports — how to access and interpret scan reports
- deploy-k8s-service — general K8s deployment how-to
- build-container-image — container build pipeline