eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/prowler.md
Erich Blume d021b3534f
All checks were successful
Build Container / detect (push) Successful in 4s
Details
Build Container / build-dockerfile (prowler) (push) Successful in 10s
Details
Deploy Prowler CIS scanner (#310) 
## Summary
- Deploy Prowler 5 as a weekly CronJob on minikube-indri for CIS Kubernetes Benchmark v1.11 scanning
- Custom slim container build (strips PowerShell, Trivy, and non-K8s providers from upstream)
- Reports (HTML, CSV, JSON-OCSF) written to NFS share on sifaka at `/volume1/reports/prowler/`
- Read-only ClusterRole for pod, RBAC, and control plane inspection
- Host path mounts + hostPID for kubelet file permission checks

## Follow-ups
- Mirror prowler-cloud/prowler on forge for supply chain control
- Build and push container image, update kustomization.yaml newTag
- Consider adding k3s-ringtail scanning (core + RBAC checks only)

## Test plan
- [ ] Build container: `mise run container-release prowler v5.22.0`
- [ ] Update `argocd/manifests/prowler/kustomization.yaml` newTag to built image tag
- [ ] Sync ArgoCD: `argocd app sync apps && argocd app set prowler --revision deploy-prowler && argocd app sync prowler`
- [ ] Trigger manual job: `kubectl create job --from=cronjob/prowler prowler-manual -n prowler --context=minikube-indri`
- [ ] Verify reports appear on sifaka NFS share
- [ ] `mise run services-check`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #310
2026-03-24 16:08:09 -07:00

1 KiB
Raw Blame History

title modified last-reviewed tags
Prowler 2026-03-24 2026-03-24
service
security

Prowler

CIS Kubernetes Benchmark scanner for compliance posture reporting.

Quick Reference

Property Value
Namespace prowler
Image registry.ops.eblu.me/blumeops/prowler (see argocd/manifests/prowler/kustomization.yaml for current tag)
Schedule Weekly (Sunday 3am)
Reports sifaka:/volume1/reports/prowler/ (NFS)
Manifests argocd/manifests/prowler/

What it does

Runs Prowler 5 as a CronJob against minikube-indri, executing CIS Kubernetes Benchmark v1.11 checks across pod security, RBAC, apiserver, etcd, kubelet, controller-manager, and scheduler. Reports are written in HTML, CSV, and JSON-OCSF to the NFS share on sifaka.

See also