Erich Blume d021b3534f

Build Container / detect (push) Successful in 4s

Details

Build Container / build-dockerfile (prowler) (push) Successful in 10s

Details

## Summary
- Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning
- Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream)
- Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/`
- Read-only ClusterRole for pod, RBAC, and control plane inspection
- Host path mounts + hostPID for kubelet file permission checks

## Follow-ups
- Mirror prowler-cloud/prowler on forge for supply chain control
- Build and push container image, update kustomization.yaml newTag
- Consider adding k3s-ringtail scanning (core + RBAC checks only)

## Test plan
- [ ] Build container: `mise run container-release prowler v5.22.0`
- [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag
- [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler`
- [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri`
- [ ] Verify reports appear on sifaka NFS share
- [ ] `mise run services-check`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #310

2026-03-24 16:08:09 -07:00

1.8 KiB

Raw Blame History

title

modified

last-reviewed

Security & Compliance

Security posture and compliance scanning for BlumeOps infrastructure.

Compliance frameworks

Framework	Tool	Cluster	Notes
CIS Kubernetes Benchmark v1.11	prowler	minikube-indri	Weekly CronJob, ~82 checks
PCI DSS v4.0 (K8s mapping)	prowler	minikube-indri	Reuses CIS checks mapped to PCI requirements
ISO 27001:2022 (K8s mapping)	prowler	minikube-indri	Partial — 22 of 92 controls mapped

Scanning tools

prowler — CIS Kubernetes Benchmark scanner (weekly CronJob)
- deploy-prowler — deployment and ad-hoc scan how-to
- read-compliance-reports — accessing and interpreting reports

Identity & access

authentik — SSO/OIDC provider for all web services
RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks)

Network & TLS

caddy — TLS termination for *.ops.eblu.me services
flyio-proxy — public ingress via Fly.io tunnel
Tailscale — zero-trust mesh networking across all nodes

Secrets management

1password — root credential store
external-secrets — Kubernetes secrets synced from 1Password

Reports

All compliance scan reports are stored on sifaka:/volume1/reports/. See read-compliance-reports for access and interpretation.

Known gaps

No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP)
k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench
No container image vulnerability scanning yet (Prowler has an image provider)
No IaC scanning of manifests/Dockerfiles yet (Prowler has an iac provider using Trivy)

1.8 KiB Raw Blame History