chore: add kubernetes/apiserver metadata update to changelog

chore(kubernetes/apiserver): adapt metadata to new standarized format
2026-02-09 02:30:43 +00:00 · 2025-12-23 17:13:17 +01:00 · 2025-12-23 17:13:11 +01:00
30 changed files with 538 additions and 328 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update Kubernetes API Server service metadata to new format [(#9674)](https://github.com/prowler-cloud/prowler/pull/9674)
+

 ---

--- a/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.metadata.json
@@ -1,26 +1,36 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_always_pull_images_plugin",
-  "CheckTitle": "Ensure that the admission control plugin AlwaysPullImages is set",
+  "CheckTitle": "Kubernetes API server pod has AlwaysPullImages admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.",
-  "Risk": "Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** admission configuration includes **AlwaysPullImages**, which mutates new Pods to set `imagePullPolicy=Always` so container images are fetched from the registry at startup using the pod's credentials.",
+  "Risk": "Without **AlwaysPullImages**, nodes can run cached images without a fresh registry pull, bypassing credential checks.\n- Unauthorized use of private images (confidentiality)\n- Stale or tampered images deployed (integrity)\n- Vulnerable images persist, widening attack surface (availability)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cjyabraham.gitlab.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers",
+    "https://stackoverflow.com/questions/56542351/how-to-access-kube-apiserver-on-command-line",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://docs.kics.io/latest/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f/",
+    "https://blog.codefarm.me/2021/12/15/kubernetes-admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages",
+    "https://pradeepl.com/blog/kubernetes/introduction-to-kubernetes-admission-controllers/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,AlwaysPullImages,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command or args, ensure the flag includes AlwaysPullImages, e.g.: --enable-admission-plugins=<existing>,AlwaysPullImages\n4. Save the file; the kubelet will automatically restart the API server with the updated flag",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers"
+      "Text": "Enable `AlwaysPullImages` on the API server.\n\nApply defense in depth: restrict pulls to trusted registries, enforce least-privilege image pull secrets, sign and scan images, and prefer immutable digests to prevent drift and ensure verified content.",
+      "Url": "https://hub.prowler.com/check/apiserver_always_pull_images_plugin"
    }
  },
  "Categories": [
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.metadata.json
@@ -1,30 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_anonymous_requests",
-  "CheckTitle": "Ensure that the --anonymous-auth argument is set to false",
+  "CheckTitle": "API server pod has anonymous-auth disabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "Disable anonymous requests to the API server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests, which are then served by the API server. Disallowing anonymous requests strengthens security by ensuring all access is authenticated.",
-  "Risk": "Enabling anonymous access to the API server can expose the cluster to unauthorized access and potential security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/admin/authentication/#anonymous-requests",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** anonymous authentication configuration, identified by `--anonymous-auth=true`. With this setting, unauthenticated requests are mapped to `system:anonymous` and processed by the server.",
+  "Risk": "**Anonymous API access** exposes cluster details for **reconnaissance** and enumeration, eroding confidentiality.\n\nIf **RBAC** is misconfigured, unauthenticated users may read sensitive data or trigger actions, impacting integrity. Floods of anonymous requests can also reduce **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/index.html",
+    "https://github.com/clastix/kamaji/discussions/862",
+    "https://kubernetes.io/docs/admin/authentication/#anonymous-requests",
+    "https://docs.kics.io/develop/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://errorism.dev/issues/kubernetes-kubeadm-node-fails-to-join-if-masters-kube-apiserver-has---anonymous-authfalse-and-basic-auth"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--anonymous-auth=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit the API server static Pod manifest:\n   sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[].command or args, remove \"--anonymous-auth=true\" or replace it with:\n   ```\n   - --anonymous-auth=false\n   ```\n4. Save the file; the kubelet will automatically restart the API server with the updated flag",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure the --anonymous-auth argument in the API server is set to false. This will reject all anonymous requests, enforcing authenticated access to the server.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Require **authenticated access** for all API requests and avoid reliance on anonymous users. Enforce **least privilege RBAC** for explicit principals only. *If health checks must be public*, restrict to minimal paths and methods. Add **network segmentation**, mutual TLS, and **audit logging** for defense in depth.",
+      "Url": "https://hub.prowler.com/check/apiserver_anonymous_requests"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_audit_log_maxage_set",
-  "CheckTitle": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxage set to 30 (or the cluster-configured value)",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate audit log retention period. Setting --audit-log-maxage to 30 or as per business requirements helps in maintaining logs for sufficient time to investigate past events.",
-  "Risk": "Without an adequate log retention period, there may be insufficient audit history to investigate and analyze past events or security incidents.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** audit logging retention is governed by `--audit-log-maxage`. This evaluates whether the configured value (e.g., `30` days) is set consistently across API server containers to retain audit events for a sufficient period.",
+  "Risk": "**Short audit retention** limits visibility into historical API actions. Credential abuse, privilege escalation, or cluster tampering may evade detection, and investigations lack evidence for timeline reconstruction-degrading data **integrity** and confidentiality through undetected unauthorized changes and exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://rke.docs.rancher.com/config-options/audit-log",
+    "https://paper.bobylive.com/Security/CIS/CIS_Kubernetes_Benchmark_v1_1_0.pdf",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/",
+    "https://docs.k3s.io/security/hardening-guide",
+    "https://docs.rke2.io/security/cis_self_assessment124"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--audit-log-maxage=30",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control plane node\n2. Edit the API server static pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command add:\n   - --audit-log-maxage=30\n   (Use your cluster-required value instead of 30 if different.)\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Set `--audit-log-maxage` to at least `30` days (or your policy) to support **forensics**. Align rotation with `--audit-log-maxbackup` and `--audit-log-maxsize`. Forward logs to a tamper-resistant central store, enforce **least privilege** on access, and periodically validate retention coverage.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxage_set"
    }
  },
  "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.metadata.json
@@ -1,26 +1,33 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_audit_log_maxbackup_set",
-  "CheckTitle": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxbackup set to 10 or the configured value",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate number of audit log backups. Setting --audit-log-maxbackup to 10 or as per business requirements helps maintain a sufficient log backup for investigations or analysis.",
-  "Risk": "Without an adequate number of audit log backups, there may be insufficient log history to investigate past events or security incidents.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server audit logging** uses `--audit-log-maxbackup` to set how many rotated audit log files are kept. This evaluates whether that value is explicitly configured as `10` or an approved organizational setting across API server containers.",
+  "Risk": "Insufficient **audit log retention** reduces **accountability** and hampers **forensics**. Limited backups cause older events to be overwritten, letting attackers hide activity until rotation. This undermines the **confidentiality**, **integrity**, and **availability** of evidence needed for incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://stackoverflow.com/questions/60371587/unable-to-start-kube-apiserver-service",
+    "https://docs.kics.io/2.0.0/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848/",
+    "https://openai.com/index/scaling-kubernetes-to-2500-nodes/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--audit-log-maxbackup=10",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node\n2. Edit the static Pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command, add or update this flag:\n   - --audit-log-maxbackup=10\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure the API server audit log backup retention to 10 or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Establish explicit **audit log retention**. Set `--audit-log-maxbackup` to `10` or higher based on data sensitivity, and align with `--audit-log-maxsize` and `--audit-log-maxage`. Forward logs to centralized, immutable storage, restrict access, and monitor rotation. Apply **defense in depth** and **least privilege** to audit systems.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxbackup_set"
    }
  },
  "Categories": [
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.metadata.json
@@ -1,26 +1,34 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_audit_log_maxsize_set",
-  "CheckTitle": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxsize set to 100 MB or the configured value",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate audit log file size limit. Setting --audit-log-maxsize to 100 MB or as per business requirements helps manage the size of log files and prevents them from growing excessively large.",
-  "Risk": "Without an appropriate audit log file size limit, log files can grow excessively large, potentially leading to storage issues and difficulty in log analysis.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses `--audit-log-maxsize` to cap audit log files. The check expects `100 MB` or a policy-approved value, indicating rotation occurs when a log reaches that size.",
+  "Risk": "Absent a proper cap, audit logs can grow unchecked, exhausting disk and degrading API server **availability**. Oversized or unbounded logs impede **forensics** and may overwrite recent events during rotation, undermining **integrity** and accountability of audit evidence.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/sherwinwangs/kubernetes-cis-audit",
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://habr.com/ru/companies/slurm/articles/711868/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://docs.rke2.io/security/cis_self_assessment124",
+    "https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--audit-log-maxsize=100",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit the API server static pod manifest: sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command add (or set) this flag:\n   - --audit-log-maxsize=100\n4. Save and exit; the kubelet will restart the API server automatically\n5. Verify: ps aux | grep kube-apiserver | grep -- \"--audit-log-maxsize=100\"",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure the API server audit log file size limit to 100 MB or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Set `--audit-log-maxsize` to `100 MB` or your approved baseline to ensure predictable rotation.\n\nPair with sensible retention (`--audit-log-maxage`, `--audit-log-maxbackup`), forward to a central store, and monitor capacity. This enforces **defense in depth** and preserves reliable auditability.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxsize_set"
    }
  },
  "Categories": [
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_audit_log_path_set",
-  "CheckTitle": "Ensure that the --audit-log-path argument is set",
+  "CheckTitle": "Kubernetes API server pod has --audit-log-path set",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the Kubernetes API server is configured with an audit log path. Enabling audit logs helps in maintaining a chronological record of all activities and operations which can be critical for security analysis and troubleshooting.",
-  "Risk": "Without audit logs, it becomes difficult to track changes and activities within the cluster, potentially obscuring the detection of malicious activities or operational issues.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses an **audit log path** configured via `--audit-log-path` on its containers to persist API request events",
+  "Risk": "Without a configured audit log path, API requests may not be recorded, weakening **accountability**. Gaps in logs hinder detection of unauthorized changes (**integrity**) and data access (**confidentiality**), and impede **forensics** and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--audit-log-path=/var/log/apiserver/audit.log",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under the kube-apiserver container command args, add this line:\n   ```\n   - --audit-log-path=/var/log/apiserver/audit.log\n   ```\n4. Save the file; the kubelet will automatically restart the API server",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable audit logging in the API server by specifying a valid path for --audit-log-path to ensure comprehensive activity logging within the cluster.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Enable and harden **audit logging** by setting `--audit-log-path`. *If centralizing*, use a webhook backend. Define a focused audit policy, enforce **least privilege** to logs, rotate/retain them, forward to centralized monitoring, and regularly review events for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_path_set"
    }
  },
  "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_node/apiserver_auth_mode_include_node.metadata.json
@@ -1,30 +1,36 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_auth_mode_include_node",
-  "CheckTitle": "Ensure that the --authorization-mode argument includes Node",
+  "CheckTitle": "API server pod has Node in --authorization-mode",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured to include 'Node' in its --authorization-mode argument. This mode restricts kubelets to only read objects associated with their nodes, enhancing security.",
-  "Risk": "If the Node authorization mode is not included, kubelets may have broader access than necessary, which can pose a security risk.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/node/",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** authorization settings include the **Node authorizer** in `--authorization-mode`. The evaluation looks for `Node` among the configured modes.",
+  "Risk": "Without **Node authorization**, kubelet identities may gain overly broad permissions via other modes. A compromised node could read unrelated **Secrets**, enumerate cluster workloads, or alter node/pod status, degrading **confidentiality** and **integrity** and enabling lateral movement.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/node/",
+    "https://docs.kics.io/2.0.0/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--authorization-mode=Node,RBAC",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-includes-node",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Open /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command, ensure the flag includes Node:\n   - If --authorization-mode=... exists, add Node to the comma-separated list\n   - If missing, add a new entry: - --authorization-mode=Node\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure the API server to use Node authorization mode along with other modes like RBAC to restrict kubelet access to the necessary resources.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Include **Node** alongside **RBAC** by adding `Node` to `--authorization-mode`. Apply **least privilege** so kubelets are limited to their node and bound pods, and use `NodeRestriction` for **defense in depth**. Periodically review kubelet permissions and audit access.",
+      "Url": "https://hub.prowler.com/check/apiserver_auth_mode_include_node"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_include_rbac/apiserver_auth_mode_include_rbac.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_auth_mode_include_rbac",
-  "CheckTitle": "Ensure that the --authorization-mode argument includes RBAC",
+  "CheckTitle": "API server pod authorization mode includes RBAC",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that Role Based Access Control (RBAC) is enabled in the Kubernetes API server's authorization mode. RBAC allows for fine-grained control over cluster operations and is recommended for secure and manageable access control.",
-  "Risk": "If RBAC is not included in the API server's authorization mode, the cluster may not be leveraging fine-grained access controls, leading to potential security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** authorization configuration includes the **RBAC authorizer** in the enabled modes, i.e., `RBAC` appears in the authorizer chain.",
+  "Risk": "Absence of **RBAC** removes fine-grained, role-scoped control. Identities may gain broad or unintended access, enabling:\n- Secret disclosure (confidentiality)\n- Unauthorized changes to workloads/policies (integrity)\n- Destructive API calls causing outages (availability)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--authorization-mode=Node,RBAC",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-includes-rbac",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[].command, add or update the flag to include RBAC, for example:\n   - --authorization-mode=Node,RBAC\n   (If --authorization-mode already exists, append ,RBAC to its value)\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure that the API server is configured with RBAC authorization mode for enhanced security and access control.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Adopt **RBAC** as the primary authorizer and avoid permissive modes like `AlwaysAllow` or legacy `ABAC`.\n\nEnforce **least privilege** with narrowly scoped roles and bindings, apply **separation of duties**, and monitor authorization activity for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_auth_mode_include_rbac"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_auth_mode_not_always_allow/apiserver_auth_mode_not_always_allow.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_auth_mode_not_always_allow",
-  "CheckTitle": "Ensure that the --authorization-mode argument is not set to AlwaysAllow",
+  "CheckTitle": "API server pod does not use the AlwaysAllow authorization mode",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is not configured to always authorize all requests. The 'AlwaysAllow' mode bypasses all authorization checks, which should not be used on production clusters.",
-  "Risk": "If set to AlwaysAllow, the API server would authorize all requests, potentially leading to unauthorized access and security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-flags-for-your-authorization-module",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** authorization is evaluated via the `--authorization-mode` setting to detect any use of `AlwaysAllow`. The focus is whether policy-driven authorizers are configured instead of an allow-all mode.",
+  "Risk": "`AlwaysAllow` permits all API requests, eroding **confidentiality** (secrets readable), **integrity** (privilege escalation, role changes, config edits), and **availability** (object deletion, cluster disruption). Enables rapid cluster takeover and data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://goteleport.com/blog/kubernetes-api-access-security/",
+    "https://notes.kodekloud.com/docs/Certified-Kubernetes-Security-Specialist-CKS/Cluster-Setup-and-Hardening/Authorization",
+    "https://habr.com/ru/companies/slurm/articles/712736/",
+    "https://github.com/kubernetes/kubernetes/issues/124021",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#using-flags-for-your-authorization-module",
+    "https://yuminlee2.medium.com/kubernetes-authorization-part1-authorization-modes-overview-18538759e2d5"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--authorization-mode=RBAC",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-authorization-mode-argument-is-not-set-to-alwaysallow",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit the API server static pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver container args, set the authorization mode (add or replace if present):\n   ```yaml\n   - --authorization-mode=RBAC\n   ```\n4. Save the file; the kubelet will automatically restart the API server with the updated setting",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure the API server is using a secure authorization mode, such as RBAC, and not set to AlwaysAllow.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Use policy-based authorization and avoid `AlwaysAllow`. Prefer `RBAC` with `Node` (and Webhook if needed) to enforce **least privilege** and **separation of duties**. Define granular roles, avoid broad bindings like `cluster-admin`, and audit access for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_auth_mode_not_always_allow"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_client_ca_file_set/apiserver_client_ca_file_set.metadata.json
@@ -1,30 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_client_ca_file_set",
-  "CheckTitle": "Ensure that the --client-ca-file argument is set as appropriate",
+  "CheckTitle": "API server pod has the --client-ca-file argument set",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with the --client-ca-file argument, specifying the CA file for client authentication. This setting enables the API server to authenticate clients using certificates signed by the CA and is crucial for secure communication.",
-  "Risk": "If the client CA file is not set, the API server may not properly authenticate clients, potentially leading to unauthorized access.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/best-practices/certificates/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses a configured **client CA** (`--client-ca-file`) to validate x509 client certificates presented for API authentication",
+  "Risk": "**Absent a client CA**, the API server cannot validate x509 client identities, disabling mutual TLS.\n\nThis weakens authentication and can enable unauthorized reads or writes to cluster resources, impacting **confidentiality** and **integrity**, especially if other methods (e.g., anonymous or weak tokens) are misconfigured.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/setup/best-practices/certificates/",
+    "https://stackoverflow.com/questions/59940927/k3s-create-user-with-client-certificate",
+    "https://cjyabraham.gitlab.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://blog.codefarm.me/2019/02/01/access-kubernetes-api-with-client-certificates/",
+    "https://medium.com/@mrJTY/kubernetes-tls-4de567964cd5",
+    "https://kubernetes.io/docs/setup/best-practices/certificates/#certificate-paths"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--client-ca-file=<path/to/client-ca-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-client-ca-file-argument-is-set-as-appropriate-scored",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver container command, add this flag (use your CA path if different):\n   ```\n   - --client-ca-file=/etc/kubernetes/pki/ca.crt\n   ```\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure the API server is configured with a client CA file for secure client authentication.",
-      "Url": "https://kubernetes.io/docs/setup/best-practices/certificates/#certificate-paths"
+      "Text": "Establish a trusted **client CA** for the API server and require **certificate-based client authentication**. Combine with **RBAC** and **least privilege**, disable anonymous access, and enforce **key rotation** and auditing to provide **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_client_ca_file_set"
    }
  },
  "Categories": [
-    "encryption"
+    "identity-access",
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_deny_service_external_ips/apiserver_deny_service_external_ips.metadata.json
@@ -1,31 +1,41 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_deny_service_external_ips",
-  "CheckTitle": "Ensure that the DenyServiceExternalIPs is set",
+  "CheckTitle": "Kubernetes API server pod has DenyServiceExternalIPs admission controller enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures the DenyServiceExternalIPs admission controller is enabled, which rejects all new usage of the Service field externalIPs. Enabling this controller enhances security by preventing the misuse of the externalIPs field.",
-  "Risk": "Not setting the DenyServiceExternalIPs admission controller could allow users to create Services with external IPs, potentially exposing services to security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** with **DenyServiceExternalIPs** rejects net-new use of `Service.spec.externalIPs` and additions to that field on existing Services; existing values can only be removed.",
+  "Risk": "Without **DenyServiceExternalIPs**, users with Service create/patch rights can reroute traffic via arbitrary external IPs, enabling **man-in-the-middle**, traffic hijacking, and data exfiltration, degrading **confidentiality** and **integrity**. Attackers may also abuse `status.loadBalancer.ingress.ip` to similar effect.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/aquasecurity/kube-bench/issues/1606",
+    "https://hub.armosec.io/docs/c-0283",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://docs.w3cub.com/kubernetes/reference/access-authn-authz/admission-controllers.html",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-off-an-admission-controller",
+    "https://kodekloud.com/community/t/admission-plugins-how-to-view-enabled-plugins/418410"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--disable-admission-plugins=DenyServiceExternalIPs",
+      "CLI": "",
      "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH to the control plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver command/args list, add: --disable-admission-plugins=DenyServiceExternalIPs\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable the DenyServiceExternalIPs admission controller by setting the '--disable-admission-plugins' argument in the kube-apiserver configuration.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-off-an-admission-controller"
+      "Text": "Enable **DenyServiceExternalIPs** to block net-new `externalIPs` usage.\n\nApply **least privilege** RBAC on Services (including status updates), require change control for exposure, and favor controlled **Ingress/LoadBalancer** patterns. Use admission policies to tightly allow approved exceptions as **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_deny_service_external_ips"
    }
  },
  "Categories": [
-    "internet-exposed",
-    "trustboundaries"
+    "cluster-security",
+    "trust-boundaries",
+    "internet-exposed"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_disable_profiling/apiserver_disable_profiling.metadata.json
@@ -1,30 +1,33 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_disable_profiling",
-  "CheckTitle": "Ensure that the --profiling argument is set to false",
+  "CheckTitle": "API server pod has profiling disabled (--profiling=false)",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that profiling is disabled in the Kubernetes API server. Profiling generates extensive data about the system's performance and operations, which, if not needed, should be disabled to reduce the attack surface.",
-  "Risk": "Enabled profiling can potentially expose detailed system and program data, which might be exploited for malicious purposes.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** runtime profiling is controlled by the `--profiling` flag. The evaluation inspects API server container arguments to confirm `--profiling=false` and that profiling endpoints (such as `/debug/pprof`) are not enabled.",
+  "Risk": "With profiling enabled, `/debug/pprof` exposes stack traces, heap data, and request details that can leak secrets and topology, degrading **confidentiality**. Heavy profiling queries can exhaust CPU and memory, threatening **availability**. Insight into code paths and timings can aid exploitation, affecting **integrity** of the control plane.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--profiling=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command, add: `--profiling=false`\n4. Save the file; the kubelet will restart the API server automatically\n5. Verify the flag is active: `ps aux | grep kube-apiserver | grep -- '--profiling=false'`",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Disable profiling in the API server unless it is necessary for troubleshooting performance bottlenecks.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Keep API server profiling disabled by default. *If diagnostics are required*, enable it briefly in a controlled, isolated environment.\n\nApply **least privilege** to debug access, restrict exposure via network controls, and audit usage. Use **defense in depth** and separation of duties for any profiling enablement.",
+      "Url": "https://hub.prowler.com/check/apiserver_disable_profiling"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_encryption_provider_config_set/apiserver_encryption_provider_config_set.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_encryption_provider_config_set",
-  "CheckTitle": "Ensure that the --encryption-provider-config argument is set as appropriate",
+  "CheckTitle": "API server pod has the --encryption-provider-config argument set",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with the --encryption-provider-config argument to encrypt sensitive data at rest in the etcd key-value store. Encrypting data at rest prevents potential unauthorized disclosures and ensures that the sensitive data is secure.",
-  "Risk": "Without proper configuration of the encryption provider, sensitive data stored in etcd might not be encrypted, posing a risk of data breaches.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** pods include `--encryption-provider-config`, supplying an EncryptionConfiguration to apply **encryption at rest** to selected API resources stored in etcd.",
+  "Risk": "Absent an encryption provider, **Secrets and credentials** are stored in plaintext in etcd and backups. Access to etcd, control plane disks, or snapshots can expose keys and tokens, enabling unauthorized API calls and lateral movement, compromising **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#determining-whether-encryption-at-rest-is-already-enabled"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--encryption-provider-config=/path/to/EncryptionConfig/File",
+      "CLI": "",
      "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH to each control-plane node\n2. Create the encryption config file at /etc/kubernetes/enc/enc.yaml:\n   ```yaml\n   apiVersion: apiserver.config.k8s.io/v1\n   kind: EncryptionConfiguration\n   resources:\n   - resources: [\"secrets\"]\n     providers:\n     - aescbc:\n         keys:\n         - name: key1\n           secret: <BASE64_32_BYTE_KEY>\n     - identity: {}\n   ```\n3. Edit /etc/kubernetes/manifests/kube-apiserver.yaml and:\n   - Add the flag under the kube-apiserver container command:\n     ```\n     - --encryption-provider-config=/etc/kubernetes/enc/enc.yaml\n     ```\n   - Mount the config path:\n     ```yaml\n     volumeMounts:\n     - name: enc\n       mountPath: /etc/kubernetes/enc\n       readOnly: true\n     ...\n     volumes:\n     - name: enc\n       hostPath:\n         path: /etc/kubernetes/enc\n         type: DirectoryOrCreate\n     ```\n   Save the file; the kubelet will restart the API server.\n4. Repeat on all control-plane nodes.",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure and enable encryption for data at rest in etcd using a suitable EncryptionConfig file.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#determining-whether-encryption-at-rest-is-already-enabled"
+      "Text": "Enable **encryption at rest** with an `EncryptionConfiguration` and run with `--encryption-provider-config` using a non-`identity` provider (prefer `kms v2`). Apply **least privilege** to key/KMS access, rotate keys, restrict config file access, keep settings consistent across API servers, and re-encrypt existing objects.",
+      "Url": "https://hub.prowler.com/check/apiserver_encryption_provider_config_set"
    }
  },
  "Categories": [
-    "encryption"
+    "encryption",
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_cafile_set/apiserver_etcd_cafile_set.metadata.json
@@ -1,31 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_etcd_cafile_set",
-  "CheckTitle": "Ensure that the --etcd-cafile argument is set as appropriate",
+  "CheckTitle": "Kubernetes API server pod has the --etcd-cafile argument set",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with the --etcd-cafile argument, specifying the Certificate Authority file for etcd client connections. This setting is important for secure communication with etcd and ensures that the API server connects to etcd with an SSL Certificate Authority file.",
-  "Risk": "Without proper TLS configuration, communication between the API server and etcd can be unencrypted, leading to potential security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses an **etcd CA file** via `--etcd-cafile` to verify etcd's TLS certificate.\n\nThis evaluates whether API server containers specify that CA file, anchoring TLS trust for etcd connections.",
+  "Risk": "Without a validated **etcd CA**, the API server may accept rogue or intercepted endpoints, undermining:\n- **Confidentiality**: exposure of cluster data in transit\n- **Integrity**: tampering with Kubernetes state in etcd\n- **Availability**: control plane disruption via malicious etcd responses",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--etcd-cafile=<path/to/ca-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate-1",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node running kube-apiserver\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command, add the flag line:\n   ```\n   - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt\n   ```\n4. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure etcd connections from the API server are secured using the appropriate CA file.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+      "Text": "Anchor etcd connections in **mutual TLS**: provide a trusted CA (`--etcd-cafile`) and unique client credentials, rotate keys, and prefer strong ciphers.\n\nApply **least privilege** and **network segmentation** so only API servers can reach etcd; disable plaintext or unauthenticated access.",
+      "Url": "https://hub.prowler.com/check/apiserver_etcd_cafile_set"
    }
  },
  "Categories": [
    "encryption",
-    "encryption"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_etcd_tls_config/apiserver_etcd_tls_config.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_etcd_tls_config",
-  "CheckTitle": "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate",
+  "CheckTitle": "API server pod has --etcd-certfile and --etcd-keyfile configured for etcd TLS",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with TLS encryption for etcd client connections, using --etcd-certfile and --etcd-keyfile arguments. Setting up TLS for etcd is crucial for securing the sensitive data stored in etcd as it's the primary datastore for Kubernetes.",
-  "Risk": "Without TLS encryption, data stored in etcd is susceptible to eavesdropping and man-in-the-middle attacks, potentially leading to data breaches.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses **TLS** for its etcd client connection, signaled by `--etcd-certfile` and `--etcd-keyfile` in the API server pod arguments.\n\nThis evaluates whether client-certificate authentication is configured between the API server and etcd.",
+  "Risk": "Without **TLS and client certs**, API server-etcd traffic can be **intercepted or altered**, compromising **confidentiality** (Secrets, tokens), **integrity** (state tampering), and **availability** (control-plane instability). Attackers could perform MITM, exfiltrate data, or inject state to seize cluster control.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--etcd-certfile=<path/to/client-certificate-file> --etcd-keyfile=<path/to/client-key-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command add:\n   - --etcd-certfile=<path/to/client-certificate-file>\n   - --etcd-keyfile=<path/to/client-key-file>\n4. Save the file; the kubelet will restart the API server with the new flags",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable TLS encryption for etcd client connections to secure sensitive data.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+      "Text": "Enforce **mutual TLS** between API server and etcd with trusted CAs and unique client certificates. Restrict etcd network access to control-plane nodes, rotate keys, and monitor certificate expiry. Apply **least privilege** and **defense in depth** using private networking and firewall policies.",
+      "Url": "https://hub.prowler.com/check/apiserver_etcd_tls_config"
    }
  },
  "Categories": [
-    "encryption"
+    "encryption",
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_event_rate_limit/apiserver_event_rate_limit.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_event_rate_limit",
-  "CheckTitle": "Ensure that the admission control plugin EventRateLimit is set",
+  "CheckTitle": "Kubernetes API server pod has the EventRateLimit admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies if the Kubernetes API server is configured with the EventRateLimit admission control plugin. This plugin limits the rate of events accepted by the API Server, preventing potential DoS attacks by misbehaving workloads.",
-  "Risk": "Without EventRateLimit, the API server could be overwhelmed by a high number of events, leading to DoS and performance issues.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** includes `EventRateLimit` among its enabled admission plugins, applying rate controls to Kubernetes `Event` objects during admission",
+  "Risk": "Without **event rate limiting**, bursts of Event writes from noisy or hostile workloads can overwhelm the API server, degrading **availability**. This leads to API timeouts, slow or stalled controller reconciliations, and amplifies **DoS** against control-plane endpoints.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://stackoverflow.com/questions/62856246/where-are-the-logs-for-kubernetes-static-pods",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit",
+    "https://static.opendev.org/project/starlingx.io/www/system_configuration/kubernetes/kubernetes-custom-configuration-31c1fd41857d.html",
+    "https://qinlj.github.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://kodekloud.com/community/t/kubernetes-admission-plugins/479194/4",
+    "https://ro.site24x7.com/learn/kubernetes/kubernetes-security-monitoring.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,EventRateLimit,... --admission-control-config-file=/path/to/configuration/file",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-eventratelimit-is-set",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control-plane node and edit the API server static pod manifest:\n   - File: /etc/kubernetes/manifests/kube-apiserver.yaml\n2. In the kube-apiserver container args/command list, ensure EventRateLimit is enabled:\n   - If the flag exists, append EventRateLimit to the list:\n     --enable-admission-plugins=... ,EventRateLimit\n   - If missing, add it:\n     --enable-admission-plugins=EventRateLimit\n3. Save the file. The kubelet will restart the API server automatically and the check will pass.",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Configure EventRateLimit as an admission control plugin for the API server to manage the rate of incoming events effectively.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#eventratelimit"
+      "Text": "Use the `EventRateLimit` admission plugin with conservative, workload-aware thresholds (global, per-namespace, per-user) to cap Event throughput.\n\nApply **defense in depth**: monitor Event volume, alert on spikes, tame noisy emitters, and uphold **least privilege** to preserve API capacity.",
+      "Url": "https://hub.prowler.com/check/apiserver_event_rate_limit"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "resilience"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_cert_auth/apiserver_kubelet_cert_auth.metadata.json
@@ -1,31 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_kubelet_cert_auth",
-  "CheckTitle": "Ensure that the --kubelet-certificate-authority argument is set as appropriate",
+  "CheckTitle": "API server pod has --kubelet-certificate-authority configured",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is set up with a specified certificate authority for kubelet connections, using the --kubelet-certificate-authority argument. This setup is crucial for verifying the kubelet's certificate to prevent man-in-the-middle attacks during connections from the apiserver to the kubelet.",
-  "Risk": "Without the --kubelet-certificate-authority argument, connections to kubelets are not verified, increasing the risk of man-in-the-middle attacks, especially over untrusted networks.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/best-practices/certificates/",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** is configured with a **kubelet certificate authority** via `--kubelet-certificate-authority` so it can validate kubelet serving certificates during APIkubelet TLS connections.",
+  "Risk": "Without a trusted kubelet CA, the API server can't verify kubelet identities, weakening TLS and enabling **man-in-the-middle** on control planenode traffic. Attackers could read logs/exec streams (**Confidentiality**), tamper with responses or commands (**Integrity**), and disrupt node management (**Availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://jamesdefabia.github.io/docs/admin/kube-apiserver/",
+    "https://kubernetes.io/docs/setup/best-practices/certificates/",
+    "https://stackoverflow.com/questions/63994701/how-do-i-properly-set-kubelet-certificate-authority-apiserver-parameter",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually",
+    "https://docs.kics.io/latest/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--kubelet-certificate-authority=/path/to/ca-file",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-kubelet-certificate-authority-argument-is-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "```yaml\n# kube-apiserver Pod with kubelet CA configured\napiVersion: v1\nkind: Pod\nmetadata:\n  name: <example_resource_name>\n  namespace: kube-system\nspec:\n  containers:\n  - name: kube-apiserver\n    image: registry.k8s.io/kube-apiserver:v1.27.0\n    command:\n    - kube-apiserver\n    - --kubelet-certificate-authority=/etc/kubernetes/pki/ca.crt  # Critical: verifies kubelet certs using this CA to secure apiserver<->kubelet\n```",
+      "Other": "1. SSH to the control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In containers[].command, add: --kubelet-certificate-authority=/etc/kubernetes/pki/ca.crt\n4. Save the file; the kubelet will restart the API server automatically\n5. Verify the flag is present in the manifest and the apiserver pod is Running in kube-system",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable TLS verification between the apiserver and kubelets by specifying the certificate authority in the kube-apiserver configuration.",
-      "Url": "https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually"
+      "Text": "Enforce **mutual TLS** for API server-kubelet communication. Provide a trusted CA using `--kubelet-certificate-authority`, issue certs from controlled PKI, rotate keys, and limit client credentials per *least privilege*. Prefer private networking and layered controls for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_kubelet_cert_auth"
    }
  },
  "Categories": [
    "cluster-security",
-    "internet-exposed"
+    "encryption"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_kubelet_tls_auth/apiserver_kubelet_tls_auth.metadata.json
@@ -1,31 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_kubelet_tls_auth",
-  "CheckTitle": "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate",
+  "CheckTitle": "API server pod has --kubelet-client-certificate and --kubelet-client-key arguments configured",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is set up with certificate-based authentication to the kubelet. This setup requires the --kubelet-client-certificate and --kubelet-client-key arguments in the kube-apiserver configuration to be set, ensuring secure communication between the API server and kubelets.",
-  "Risk": "Without certificate-based authentication to kubelets, requests from the apiserver are treated as anonymous, which could lead to unauthorized access and manipulation of node resources.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/best-practices/certificates/",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** is configured to use **TLS client certificates** when communicating with kubelets via `--kubelet-client-certificate` and `--kubelet-client-key`.",
+  "Risk": "Without **mTLS to kubelets**, apiserver requests may be **anonymous or weakly authenticated**. Adversaries can abuse kubelet endpoints to:\n- Read logs and files (C)\n- Exec into pods (I)\n- Evict or disrupt pods (A)\nEnables lateral movement and workload tampering.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/setup/best-practices/certificates/",
+    "https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--kubelet-client-certificate=/path/to/client-certificate-file --kubelet-client-key=/path/to/client-key-file",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node.\n2. Edit the API server static pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command add both flags (use existing certs in /etc/kubernetes/pki):\n   \n   --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt\n   --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key\n\n4. Save the file; the kubelet will automatically restart the API server with the new flags.",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable TLS authentication between the apiserver and kubelets by specifying the client certificate and key in the kube-apiserver configuration.",
-      "Url": "https://kubernetes.io/docs/setup/best-practices/certificates/#configure-certificates-manually"
+      "Text": "Enforce **mutual TLS** between apiserver and kubelets using a dedicated client certificate/key (`--kubelet-client-certificate`, `--kubelet-client-key`) signed by a trusted CA. Apply **least privilege** to kubelet authorization and disable **anonymous access** to strengthen defense-in-depth.",
+      "Url": "https://hub.prowler.com/check/apiserver_kubelet_tls_auth"
    }
  },
  "Categories": [
    "cluster-security",
-    "internet-exposed"
+    "encryption"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_namespace_lifecycle_plugin/apiserver_namespace_lifecycle_plugin.metadata.json
@@ -1,26 +1,36 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_namespace_lifecycle_plugin",
-  "CheckTitle": "Ensure that the admission control plugin NamespaceLifecycle is set",
+  "CheckTitle": "Kubernetes API server pod has NamespaceLifecycle admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the NamespaceLifecycle admission control plugin is enabled in the Kubernetes API server. This plugin prevents the creation of objects in non-existent or terminating namespaces, enforcing the integrity of the namespace lifecycle and availability of new objects.",
-  "Risk": "Without NamespaceLifecycle, objects may be created in namespaces that are being terminated, potentially leading to inconsistencies and resource conflicts.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** has the `NamespaceLifecycle` admission controller active and not disabled, enforcing namespace lifecycle rules by rejecting objects targeting **non-existent** or **terminating** namespaces and protecting system namespaces from deletion.",
+  "Risk": "Without `NamespaceLifecycle`, resources can be created in namespaces being removed or that never existed, causing inconsistent state and controller errors.\n\nThis degrades **integrity** and **availability**, leaving orphaned objects, delaying cleanup, and potentially preserving access via leftover service accounts or policies.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.sysdig.com/learn-cloud-native/kubernetes-admission-controllers",
+    "https://stackoverflow.com/questions/67362350/how-do-i-find-and-call-the-kube-apiserver-in-k3s-k3d-with-calico-and-without",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle",
+    "https://be-reliable-engineer.medium.com/k8s-admission-controller-4796b66435ad",
+    "https://blog.codegrape.com/advantages-of-governance-within-kubernetes/",
+    "https://notes.kodekloud.com/docs/Certified-Kubernetes-Application-Developer-CKAD/Security/Solution-Admission-Controllers",
+    "https://blog.nashtechglobal.com/admission-controller-in-kubernetes/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,NamespaceLifecycle,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-namespacelifecycle-is-set",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node.\n2. Edit the API server manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command, ensure NamespaceLifecycle is enabled and not disabled:\n   ```yaml\n   # Critical: enable NamespaceLifecycle plugin\n   - --enable-admission-plugins=NamespaceLifecycle\n   # If this flag exists with a list, append ,NamespaceLifecycle to it\n   # Ensure NamespaceLifecycle is NOT present in:\n   # - --disable-admission-plugins=...\n   ```\n4. Save the file; the kubelet will restart the API server automatically.\n5. Verify the setting is present in the running pod spec:\n   ```\n   kubectl -n kube-system get pod -l component=kube-apiserver -o jsonpath='{.items[0].spec.containers[0].command}' | grep NamespaceLifecycle\n   ```",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable the NamespaceLifecycle admission control plugin in the API server to enforce proper namespace management.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle"
+      "Text": "Ensure `NamespaceLifecycle` remains enabled to enforce namespace governance. Apply **least privilege** for namespace creation/deletion, and use **separation of duties** for approvals. Monitor deletions and remediate stuck finalizers so cleanup completes. Combine with RBAC and audit logs for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_namespace_lifecycle_plugin"
    }
  },
  "Categories": [
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_no_always_admit_plugin/apiserver_no_always_admit_plugin.metadata.json
@@ -1,30 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_no_always_admit_plugin",
-  "CheckTitle": "Ensure that the admission control plugin AlwaysAdmit is not set",
+  "CheckTitle": "API server pod does not have the AlwaysAdmit admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the Kubernetes API server is not configured with the AlwaysAdmit admission control plugin. The AlwaysAdmit plugin allows all requests without any filtering, which is a security risk and is deprecated.",
-  "Risk": "Enabling AlwaysAdmit permits all requests by default, bypassing other admission control checks, which can lead to unauthorized access.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+  "Severity": "critical",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** configuration is inspected for the `AlwaysAdmit` admission plugin in `--enable-admission-plugins`.\n\nIf `AlwaysAdmit` is configured, the server accepts all admission requests without running other admission controllers.",
+  "Risk": "With **AlwaysAdmit**, admission policies don't run after authN/Z, weakening CIA:\n- Bypass of controls enables privileged or unsafe workloads (confidentiality, integrity)\n- Quotas/limits can be ignored, causing resource exhaustion (availability)\n- Misconfigurations persist, enabling escalation and lateral movement",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kodekloud.com/community/t/kubernetes-admission-plugins/479194",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwaysadmit",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://faun.pub/kubernetes-admission-controller-2913a5b3d0c1",
+    "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set/",
+    "https://github.com/kubernetes/kubernetes/issues/66979",
+    "https://stackoverflow.com/questions/51489955/how-to-obtain-the-enable-admission-controller-list-in-kubernetes"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--disable-admission-plugins=...,AlwaysAdmit,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwaysadmit-is-not-set",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control plane node\n2. Edit the static pod manifest: sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[].command, locate the flag --enable-admission-plugins=...\n4. Remove \"AlwaysAdmit\" from the comma-separated list (if it is the only value, remove the entire flag)\n5. Save the file; the kubelet will restart the API server automatically\n6. Verify it's gone: kubectl -n kube-system describe pod <example_apiserver_pod> | grep -- --enable-admission-plugins (ensure AlwaysAdmit is not present)",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure the API server does not use the AlwaysAdmit admission control plugin to maintain proper security checks for all requests.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwaysadmit"
+      "Text": "Exclude `AlwaysAdmit` from API server settings. Use a **deny-by-default** admission posture and enable only necessary controllers to enforce policy and limits (e.g., PodSecurity, ResourceQuota, LimitRanger).\n\nApply **least privilege**, regularly review admission configuration, and audit API activity to detect drift.",
+      "Url": "https://hub.prowler.com/check/apiserver_no_always_admit_plugin"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_no_token_auth_file/apiserver_no_token_auth_file.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_no_token_auth_file",
-  "CheckTitle": "Ensure that the --token-auth-file parameter is not set",
+  "CheckTitle": "API server pod does not have --token-auth-file enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is not using static token-based authentication, which is less secure. Static tokens are stored in clear-text and lack features like revocation or rotation without restarting the API server.",
-  "Risk": "Using static token-based authentication exposes the cluster to security risks due to the static nature of the tokens, their clear-text storage, and the inability to revoke or rotate them easily.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** configuration is reviewed for use of **static token file authentication** by inspecting API server containers for the `--token-auth-file` argument",
+  "Risk": "Using **static bearer tokens** undermines CIA:\n- Confidentiality: leaked tokens grant API access\n- Integrity: long-lived tokens enable unauthorized changes\n- Availability: access can't be revoked quickly\nTokens are clear-text and lack **revocation/rotation**, enabling persistent access if exposed.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://notes.kodekloud.com/docs/CKA-Certification-Course-Certified-Kubernetes-Administrator/Security/Authentication",
+    "https://goteleport.com/blog/kubernetes-api-access-security/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file",
+    "https://stackoverflow.com/questions/43072514/kubernetes-how-to-enable-api-server-bearer-token-auth",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/",
+    "https://www.golinuxcloud.com/kubernetes-authentication-authorization/",
+    "https://k8s-security.geek-kb.com/docs/fundamentals/authentication/authentication_methods/"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-token-auth-file-parameter-is-not-set",
-      "Other": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node\n2. Open /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command, remove the line containing: --token-auth-file=</path/to/file>  \n4. Save the file; the kubelet will automatically restart the API server\n5. Repeat on all control plane nodes\n6. Verify the flag is absent: kubectl -n kube-system get pods -l component=kube-apiserver -o yaml | grep -- --token-auth-file || echo \"not present\"",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Replace token-based authentication with more secure mechanisms like client certificate authentication. Ensure the --token-auth-file argument is not used in the API server configuration.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#static-token-file"
+      "Text": "Avoid **static token files**. Prefer **client certificates**, **OIDC/webhook authenticators**, or **service accounts** with short-lived tokens. Apply **least privilege** with RBAC, enforce **rotation** and short expirations, and disable `--token-auth-file` to support **defense in depth** and rapid credential revocation.",
+      "Url": "https://hub.prowler.com/check/apiserver_no_token_auth_file"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_node_restriction_plugin/apiserver_node_restriction_plugin.metadata.json
@@ -1,30 +1,41 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_node_restriction_plugin",
-  "CheckTitle": "Ensure that the admission control plugin NodeRestriction is set",
+  "CheckTitle": "API server pod has NodeRestriction admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the NodeRestriction admission control plugin is enabled in the Kubernetes API server. NodeRestriction limits the Node and Pod objects that a kubelet can modify, enhancing security by ensuring kubelets are restricted to manage their own node and pods.",
-  "Risk": "Without NodeRestriction, kubelets may have broader access to Node and Pod objects, potentially leading to unauthorized modifications and security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** has the **NodeRestriction** admission controller enabled via `--enable-admission-plugins`.\n\nThis setting confines kubelets to modify only their own `Node` object and bound `Pod` objects.",
+  "Risk": "Without **NodeRestriction**, a compromised or misconfigured kubelet could alter other nodes or pods, change critical labels/taints, or delete node objects.\n\nThis enables lateral movement and workload hijacking, impacting **integrity** and **availability** of the cluster.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://stackoverflow.com/questions/67172030/how-do-i-configure-noderestriction-plug-in-on-kubelet",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction",
+    "https://blog.codefarm.me/2021/12/15/kubernetes-admission-controllers/",
+    "https://notes.kodekloud.com/docs/Certified-Kubernetes-Application-Developer-CKAD/Security/Solution-Admission-Controllers",
+    "https://cjyabraham.gitlab.io/docs/reference/access-authn-authz/admission-controllers/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,NodeRestriction,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-noderestriction-is-set",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node running the API server\n2. Edit the static pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec > containers[0] > command, ensure this flag is present and includes NodeRestriction (add it if missing):\n   - --enable-admission-plugins=NodeRestriction\n   If the flag already exists with other plugins, append ,NodeRestriction to the comma-separated list\n4. Save the file; the kubelet will automatically restart the API server",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable the NodeRestriction admission control plugin in the API server for enhanced node and pod security.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction"
+      "Text": "Enable the **NodeRestriction** admission controller to enforce **least privilege** for kubelets.\n\nPair it with **Node** and **RBAC** authorization, strong kubelet identity, and audit monitoring for defense-in-depth. Regularly rotate credentials and limit kubelet access to only its node.",
+      "Url": "https://hub.prowler.com/check/apiserver_node_restriction_plugin"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access",
+    "trust-boundaries"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_request_timeout_set/apiserver_request_timeout_set.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_request_timeout_set",
-  "CheckTitle": "Ensure that the --request-timeout argument is set as appropriate",
+  "CheckTitle": "Kubernetes API server pod has --request-timeout configured",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the Kubernetes API server is configured with an appropriate global request timeout. Setting a suitable --request-timeout value ensures the API server can handle requests efficiently without exhausting resources, especially in cases of slower connections or high-volume data requests.",
-  "Risk": "An inadequately set request timeout may lead to inefficient handling of API requests, either by timing out too quickly on slow connections or by allowing requests to consume excessive resources, leading to potential Denial-of-Service attacks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** has a global request timeout configured via `--request-timeout`.\n\nThe presence of that flag on API server containers is assessed.",
+  "Risk": "Without a defined, appropriate timeout, requests can linger and tie up handlers, reducing **availability**. Attackers can perform slowloris-style holds or heavy reads to cause **resource exhaustion** and backlog growth. Overly short timeouts can cut valid calls, disrupting controllers and clients.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--request-timeout=300s",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-request-timeout-argument-is-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver container's command list, add:\n   ```yaml\n   - --request-timeout=300s\n   ```\n4. Save the file; the kubelet will automatically restart the API server\n5. Repeat on all control-plane nodes",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Set the API server request timeout to a value that balances resource usage efficiency and the needs of your environment, considering connection speeds and data volumes.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options"
+      "Text": "Set `--request-timeout` to a bounded value aligned to typical non-watch calls; *when needed*, tune `--min-request-timeout` for watches. Combine with **priority and fairness**, rate limiting, and load testing to prevent starvation. Monitor latency and errors to adjust. Apply **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_request_timeout_set"
    }
  },
  "Categories": [
-    "cluster-security"
+    "cluster-security",
+    "resilience"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_security_context_deny_plugin/apiserver_security_context_deny_plugin.metadata.json
@@ -1,30 +1,34 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_security_context_deny_plugin",
-  "CheckTitle": "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used",
+  "CheckTitle": "API server pod uses PodSecurityPolicy or has the SecurityContextDeny admission plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the SecurityContextDeny admission control plugin is enabled in the Kubernetes API server if PodSecurityPolicy is not used. The SecurityContextDeny plugin denies pods that make use of certain SecurityContext fields which could allow privilege escalation.",
-  "Risk": "Without SecurityContextDeny, pods may be able to escalate privileges if PodSecurityPolicy is not used, potentially leading to security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** admission configuration is reviewed for `PodSecurityPolicy` or `SecurityContextDeny`, indicating whether pods using high-risk `securityContext` fields (privileged, host access, extra capabilities) would be blocked during admission.",
+  "Risk": "Without these controls, pods can request privileged mode, host namespaces, or excessive capabilities, enabling container escape, node compromise, and data exfiltration. This undermines **integrity** and **confidentiality**, and can impact **availability** via lateral movement or disruptive actions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,SecurityContextDeny,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command:\n   - If --enable-admission-plugins=... exists, append \",SecurityContextDeny\" to its list\n   - If absent, add a new arg line: - --enable-admission-plugins=SecurityContextDeny\n4. Save; the kubelet will restart the API server",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Use SecurityContextDeny as an admission control plugin in the API server to enhance security, especially in the absence of PodSecurityPolicy.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#securitycontextdeny"
+      "Text": "Apply defense-in-depth at admission:\n- Prefer **Pod Security Admission** with `restricted` policies\n- *For legacy clusters*, enable `SecurityContextDeny` or an equivalent policy engine\n- Enforce **least privilege**: set `allowPrivilegeEscalation=false`, drop unnecessary capabilities, and avoid host namespaces.",
+      "Url": "https://hub.prowler.com/check/apiserver_security_context_deny_plugin"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_key_file_set/apiserver_service_account_key_file_set.metadata.json
@@ -1,31 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_service_account_key_file_set",
-  "CheckTitle": "Ensure that the --service-account-key-file argument is set as appropriate",
+  "CheckTitle": "Kubernetes API server pod has --service-account-key-file configured",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with a --service-account-key-file argument, specifying the public key file for service account verification. A separate key pair for service accounts enhances security by enabling key rotation and ensuring service account tokens are verified with a specific public key.",
-  "Risk": "Without a specified service account public key file, the API server may use the private key from its TLS serving certificate, hindering the ability to rotate keys and increasing security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** uses `--service-account-key-file` to supply the public key(s) for validating **service account tokens**.\n\nDetection looks for API server containers that lack this flag.",
+  "Risk": "Without a dedicated key file, token validation can fall back to the API server's TLS key, eroding **separation of duties**. Compromise or rotation of that key can enable **token forgery** (confidentiality/integrity) or invalidate tokens, disrupting workloads (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection",
+    "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--service-account-key-file=<path/to/key-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-service-account-key-file-argument-is-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node.\n2. Edit the API server static pod manifest:\n   sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command add this line:\n   ```\n   - --service-account-key-file=/etc/kubernetes/pki/sa.pub\n   ```\n4. Save the file; the kubelet will restart the API server automatically.",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Specify a separate public key file for verifying service account tokens in pod {pod.name}.",
-      "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection"
+      "Text": "Use a dedicated key pair for **service accounts**:\n- Configure `--service-account-key-file` with public keys for validation\n- Keep signing and serving keys separate (*least privilege*)\n- Enforce scheduled key rotation and maintain multiple active keys for **defense in depth**",
+      "Url": "https://hub.prowler.com/check/apiserver_service_account_key_file_set"
    }
  },
  "Categories": [
-    "trustboundaries",
-    "encryption"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_lookup_true/apiserver_service_account_lookup_true.metadata.json
@@ -1,30 +1,36 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_service_account_lookup_true",
-  "CheckTitle": "Ensure that the --service-account-lookup argument is set to true",
+  "CheckTitle": "API server pod has --service-account-lookup set to true",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with --service-account-lookup set to true. This setting validates the service account associated with each request, ensuring that the service account token is not only valid but also currently exists.",
-  "Risk": "If --service-account-lookup is disabled, deleted service accounts might still be used, posing a security risk.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/",
+  "ResourceType": "Pod",
+  "Description": "Kubernetes API server has **service account lookup** enabled via `--service-account-lookup=true`, validating presented service account tokens against currently existing ServiceAccounts during authentication.",
+  "Risk": "Without **service account lookup**, tokens tied to deleted or renamed ServiceAccounts can still authenticate, enabling persistence with stale credentials, unauthorized API access, and lateral movement, degrading **confidentiality** and **integrity** of cluster resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--service-account-lookup=true",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-service-account-lookup-argument-is-set-to-true",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node with root privileges\n2. Edit the static Pod manifest: sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver container command list, add the flag:\n   ```\n   --service-account-lookup=true\n   ```\n4. Save the file; the kubelet will automatically restart the API server\n5. Verify the flag is active: ps aux | grep kube-apiserver | grep -- --service-account-lookup=true",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable service account lookup in the API server to ensure that only existing service accounts are used for authentication.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"
+      "Text": "Enable `--service-account-lookup=true` so token validity depends on the ServiceAccount's current state. Apply **least privilege** to ServiceAccounts, favor short-lived tokens, and promptly remove unused accounts and secrets. Combine with strict **RBAC** and auditing for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_service_account_lookup_true"
    }
  },
  "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_service_account_plugin/apiserver_service_account_plugin.metadata.json
@@ -1,31 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_service_account_plugin",
-  "CheckTitle": "Ensure that the admission control plugin ServiceAccount is set",
+  "CheckTitle": "Kubernetes API server pod has ServiceAccount admission control plugin enabled",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check verifies that the ServiceAccount admission control plugin is enabled in the Kubernetes API server. This plugin automates the creation and assignment of service accounts to pods, enhancing security by managing service account tokens.",
-  "Risk": "If the ServiceAccount admission plugin is disabled, pods might be assigned the default service account without proper token management, leading to potential security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+  "Severity": "high",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** includes the **ServiceAccount admission controller** (`ServiceAccount`)-enabled via `--enable-admission-plugins` and not listed in `--disable-admission-plugins`.\n\nIt applies service account-related defaults and policies to Pods, such as assigning a service account and governing secret references.",
+  "Risk": "Without **ServiceAccount admission**, Pods may reference unintended secrets and run with unpredictable identities. This enables token misuse and unauthorized API access, facilitating lateral movement and privilege abuse, degrading **confidentiality** and **integrity** of cluster resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://stackoverflow.com/questions/74206876/getting-crashloopbackoff-error-for-apiserver-etcd-in-newly-joined-control-plan",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/",
+    "https://seclists.org/oss-sec/2024/q2/126",
+    "https://stackoverflow.com/questions/53882712/storing-the-configuration-used-in-configmap-kubeadm-config-in-the-kube-system",
+    "https://www.openwall.com/lists/oss-security/2024/04/16/4",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--enable-admission-plugins=...,ServiceAccount,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-serviceaccount-is-set",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node\n2. Edit the API server static pod manifest:\n   sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In the kube-apiserver container flags, add or update the line:\n   - --enable-admission-plugins=ServiceAccount  <!-- Critical: ensures ServiceAccount plugin is enabled -->\n4. If a --disable-admission-plugins flag exists, ensure ServiceAccount is NOT listed (remove it if present)  <!-- Critical: prevents disabling the plugin -->\n5. Save the file; the kubelet will restart the API server automatically",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Enable the ServiceAccount admission control plugin in the API server to manage service accounts and tokens securely.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount"
+      "Text": "Enable and keep the `ServiceAccount` admission controller active to enforce identity and secret policies.\n- Apply **least privilege**: restrict secrets on each service account\n- Disable token automount where not needed (`automountServiceAccountToken=false`)\n- Isolate secrets by namespace and rotate tokens\n- Keep the API server patched",
+      "Url": "https://hub.prowler.com/check/apiserver_service_account_plugin"
    }
  },
  "Categories": [
-    "trustboundaries",
-    "encryption"
+    "cluster-security",
+    "identity-access"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_strong_ciphers_only/apiserver_strong_ciphers_only.metadata.json
@@ -1,31 +1,39 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_strong_ciphers_only",
-  "CheckTitle": "Ensure that the API Server only makes use of Strong Cryptographic Ciphers",
+  "CheckTitle": "API Server pod uses only strong cryptographic TLS cipher suites",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured to only use strong cryptographic ciphers, minimizing the risk of vulnerabilities associated with weaker ciphers. Strong ciphers enhance the security of TLS connections to the API server.",
-  "Risk": "Using weak ciphers can leave the API server vulnerable to cryptographic attacks, compromising the security of data in transit.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "Severity": "medium",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** restricts TLS to **strong cipher suites** by configuring `--tls-cipher-suites` to only modern values such as `TLS_AES_128_GCM_SHA256`, `TLS_AES_256_GCM_SHA384`, and `TLS_CHACHA20_POLY1305_SHA256`",
+  "Risk": "Permitting weak or mixed cipher suites enables TLS downgrades and cryptanalytic attacks, undermining **confidentiality** and **integrity** of API traffic.\n\nAttackers could intercept or alter requests, steal tokens, and pivot to compromise the control plane.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://shantanudeyanik.medium.com/configure-kubernetes-with-strong-cipher-suites-0053ca0accba",
+    "https://habr.com/ru/companies/slurm/articles/712736/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options",
+    "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-api-server-only-makes-use-of-strong-cryptographic-ciphers/",
+    "https://stackoverflow.com/questions/62983207/kubernetes-change-cipher-for-certificates"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--tls-cipher-suites=TLS_AES_128_GCM_SHA256,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-kubelet-only-makes-use-of-strong-cryptographic-ciphers#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "```yaml\n# Minimal kube-apiserver manifest snippet enforcing only strong TLS ciphers\napiVersion: v1\nkind: Pod\nmetadata:\n  name: kube-apiserver\n  namespace: kube-system\nspec:\n  containers:\n  - name: kube-apiserver\n    command:\n    - kube-apiserver\n    - --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256  # FIX: restricts ciphers to strong TLS 1.3 suites only\n```",
+      "Other": "1. SSH to each control plane node\n2. Open /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[].command, add or replace the flag:\n   - --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256\n4. Save the file; the kubelet will automatically restart the API server\n5. Repeat on all control plane nodes\n6. Verify the flag is present on the running pod's command args",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Restrict the API server to only use strong cryptographic ciphers for enhanced security.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/#options"
+      "Text": "Limit ciphers to modern AEAD suites and remove legacy entries in `--tls-cipher-suites`.\n- Enforce a high `--tls-min-version` (prefer `VersionTLS13`).\n- Periodically review crypto policy and rotate keys.\n- Apply **defense in depth**: restrict API exposure and require strong client auth.",
+      "Url": "https://hub.prowler.com/check/apiserver_strong_ciphers_only"
    }
  },
  "Categories": [
    "encryption",
-    "internet-exposed"
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
--- a/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.metadata.json
+++ b/prowler/providers/kubernetes/services/apiserver/apiserver_tls_config/apiserver_tls_config.metadata.json
@@ -1,30 +1,35 @@
 {
  "Provider": "kubernetes",
  "CheckID": "apiserver_tls_config",
-  "CheckTitle": "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate",
+  "CheckTitle": "API server pod has --tls-cert-file and --tls-private-key-file configured",
  "CheckType": [],
  "ServiceName": "apiserver",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
-  "Description": "This check ensures that the Kubernetes API server is configured with TLS for secure communication. The --tls-cert-file and --tls-private-key-file arguments should be set to enable TLS encryption, thereby securing sensitive data transmitted to and from the API server.",
-  "Risk": "If TLS is not properly configured, the API server communication could be unencrypted, leading to potential data breaches.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/best-practices/certificates/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes API server** configuration is checked for explicit TLS settings via `--tls-cert-file` and `--tls-private-key-file`. The presence of both flags indicates HTTPS is configured with a specified certificate and private key for client connections.",
+  "Risk": "Improper or unmanaged TLS on the API endpoint can cause untrusted certs and verification bypass, enabling MITM to capture admin credentials or tokens and modify requests. This compromises **confidentiality** and **integrity**, and unexpected certificate expiry can affect **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/setup/best-practices/certificates/",
+    "https://kubernetes.io/docs/setup/best-practices/certificates/#certificate-paths"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "--tls-cert-file=<path/to/tls-certificate-file> --tls-private-key-file=<path/to/tls-key-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control-plane node\n2. Edit the API server static pod manifest:\n   sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command, add both flags:\n   ```\n   - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt\n   - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key\n   ```\n4. Save the file; the kubelet will automatically restart the API server",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Ensure TLS is enabled and properly configured for the API server to secure communications.",
-      "Url": "https://kubernetes.io/docs/setup/best-practices/certificates/#certificate-paths"
+      "Text": "Configure the API server to use **TLS** with a valid certificate and key via `--tls-cert-file` and `--tls-private-key-file`.\n\nUse a trusted CA with correct SANs, restrict network access to the endpoint, and automate certificate rotation and expiry monitoring to uphold **defense in depth** and **least privilege**.",
+      "Url": "https://hub.prowler.com/check/apiserver_tls_config"
    }
  },
  "Categories": [
-    "encryption"
+    "encryption",
+    "cluster-security"
  ],
  "DependsOn": [],
  "RelatedTo": [],
Author	SHA1	Message	Date
Rubén De la Torre Vico	daa6884fd8	chore: add kubernetes/apiserver metadata update to changelog	2025-12-23 17:13:17 +01:00
Rubén De la Torre Vico	8fa7756e6e	chore(kubernetes/apiserver): adapt metadata to new standarized format	2025-12-23 17:13:11 +01:00