chore(kubernetes): enhance metadata for apiserver service (#9674)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to the **Prowler SDK** are documented in this file.
 
+## [5.20.0] (Prowler UNRELEASED)
+
+### 🔄 Changed
+
+- Update Kubernetes API server checks metadata to new format [(#9674)](https://github.com/prowler-cloud/prowler/pull/9674)
+
+---
+
 ## [5.19.0] (Prowler v5.19.0)
 
 ### 🚀 Added

prowler/providers/kubernetes/services/apiserver/apiserver_always_pull_images_plugin/apiserver_always_pull_images_plugin.metadata.json

@@ -1,27 +1,33 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_always_pull_images_plugin",
-  "CheckTitle": "Ensure that the admission control plugin AlwaysPullImages is set",
+  "CheckTitle": "API server pod has AlwaysPullImages admission control plugin enabled",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "This check verifies that the AlwaysPullImages admission control plugin is enabled in the Kubernetes API server. This plugin ensures that every new pod always pulls the required images, enforcing image access control and preventing the use of possibly outdated or altered images.",
-  "Risk": "Without AlwaysPullImages, once an image is pulled to a node, any pod can use it without any authorization check, potentially leading to security risks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages",
+  "Description": "**Kubernetes API server** admission configuration includes **AlwaysPullImages**, which mutates new Pods to set `imagePullPolicy=Always` so container images are fetched from the registry at startup using the pod's credentials.",
+  "Risk": "Without **AlwaysPullImages**, nodes can run cached images without a fresh registry pull, bypassing credential checks.\n- Unauthorized use of private images (confidentiality)\n- Stale or tampered images deployed (integrity)\n- Vulnerable images persist, widening attack surface (availability)",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cjyabraham.gitlab.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers",
+    "https://blog.codefarm.me/2021/12/15/kubernetes-admission-controllers/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--enable-admission-plugins=...,AlwaysPullImages,...",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control-plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command or args, ensure the flag includes AlwaysPullImages, e.g.: --enable-admission-plugins=<existing>,AlwaysPullImages\n4. Save the file; the kubelet will automatically restart the API server with the updated flag",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure the API server to use the AlwaysPullImages admission control plugin to ensure image security and integrity.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers"
+      "Text": "Enable `AlwaysPullImages` on the API server.\n\nApply defense in depth: restrict pulls to trusted registries, enforce least-privilege image pull secrets, sign and scan images, and prefer immutable digests to prevent drift and ensure verified content.",
+      "Url": "https://hub.prowler.com/check/apiserver_always_pull_images_plugin"
     }
   },
   "Categories": [

prowler/providers/kubernetes/services/apiserver/apiserver_anonymous_requests/apiserver_anonymous_requests.metadata.json

@@ -1,31 +1,37 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_anonymous_requests",
-  "CheckTitle": "Ensure that the --anonymous-auth argument is set to false",
+  "CheckTitle": "API server pod has anonymous-auth disabled",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "Disable anonymous requests to the API server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests, which are then served by the API server. Disallowing anonymous requests strengthens security by ensuring all access is authenticated.",
-  "Risk": "Enabling anonymous access to the API server can expose the cluster to unauthorized access and potential security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/admin/authentication/#anonymous-requests",
+  "Description": "**Kubernetes API server** anonymous authentication configuration, identified by `--anonymous-auth=true`. With this setting, unauthenticated requests are mapped to `system:anonymous` and processed by the server.",
+  "Risk": "**Anonymous API access** exposes cluster details for **reconnaissance** and enumeration, eroding confidentiality.\n\nIf **RBAC** is misconfigured, unauthenticated users may read sensitive data or trigger actions, impacting integrity. Floods of anonymous requests can also reduce **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/index.html",
+    "https://docs.kics.io/develop/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--anonymous-auth=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-anonymous-auth-argument-is-set-to-false-1#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit the API server static Pod manifest:\n   sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[].command or args, remove \"--anonymous-auth=true\" or replace it with:\n   ```\n   - --anonymous-auth=false\n   ```\n4. Save the file; the kubelet will automatically restart the API server with the updated flag",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure the --anonymous-auth argument in the API server is set to false. This will reject all anonymous requests, enforcing authenticated access to the server.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Require **authenticated access** for all API requests and avoid reliance on anonymous users. Enforce **least privilege RBAC** for explicit principals only. *If health checks must be public*, restrict to minimal paths and methods. Add **network segmentation**, mutual TLS, and **audit logging** for defense in depth.",
+      "Url": "https://hub.prowler.com/check/apiserver_anonymous_requests"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxage_set/apiserver_audit_log_maxage_set.metadata.json

@@ -1,31 +1,38 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_audit_log_maxage_set",
-  "CheckTitle": "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxage set to 30 (or the cluster-configured value)",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate audit log retention period. Setting --audit-log-maxage to 30 or as per business requirements helps in maintaining logs for sufficient time to investigate past events.",
-  "Risk": "Without an adequate log retention period, there may be insufficient audit history to investigate and analyze past events or security incidents.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "Description": "**Kubernetes API server** audit logging retention is governed by `--audit-log-maxage`. This evaluates whether the configured value (e.g., `30` days) is set consistently across API server containers to retain audit events for a sufficient period.",
+  "Risk": "**Short audit retention** limits visibility into historical API actions. Credential abuse, privilege escalation, or cluster tampering may evade detection, and investigations lack evidence for timeline reconstruction-degrading data **integrity** and confidentiality through undetected unauthorized changes and exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://rke.docs.rancher.com/config-options/audit-log",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--audit-log-maxage=30",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to a control plane node\n2. Edit the API server static pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command add:\n   - --audit-log-maxage=30\n   (Use your cluster-required value instead of 30 if different.)\n4. Save the file; the kubelet will restart the API server automatically",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure the API server audit log retention period to retain logs for at least 30 days or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Set `--audit-log-maxage` to at least `30` days (or your policy) to support **forensics**. Align rotation with `--audit-log-maxbackup` and `--audit-log-maxsize`. Forward logs to a tamper-resistant central store, enforce **least privilege** on access, and periodically validate retention coverage.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxage_set"
     }
   },
   "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxbackup_set/apiserver_audit_log_maxbackup_set.metadata.json

@@ -1,27 +1,32 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_audit_log_maxbackup_set",
-  "CheckTitle": "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxbackup set to 10 or the configured value",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate number of audit log backups. Setting --audit-log-maxbackup to 10 or as per business requirements helps maintain a sufficient log backup for investigations or analysis.",
-  "Risk": "Without an adequate number of audit log backups, there may be insufficient log history to investigate past events or security incidents.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "Description": "**Kubernetes API server audit logging** uses `--audit-log-maxbackup` to set how many rotated audit log files are kept. This evaluates whether that value is explicitly configured as `10` or an approved organizational setting across API server containers.",
+  "Risk": "Insufficient **audit log retention** reduces **accountability** and hampers **forensics**. Limited backups cause older events to be overwritten, letting attackers hide activity until rotation. This undermines the **confidentiality**, **integrity**, and **availability** of evidence needed for incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://docs.kics.io/2.0.0/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--audit-log-maxbackup=10",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to each control plane node\n2. Edit the static Pod manifest: /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under spec.containers[0].command, add or update this flag:\n   - --audit-log-maxbackup=10\n4. Save the file; the kubelet will restart the API server automatically",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure the API server audit log backup retention to 10 or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Establish explicit **audit log retention**. Set `--audit-log-maxbackup` to `10` or higher based on data sensitivity, and align with `--audit-log-maxsize` and `--audit-log-maxage`. Forward logs to centralized, immutable storage, restrict access, and monitor rotation. Apply **defense in depth** and **least privilege** to audit systems.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxbackup_set"
     }
   },
   "Categories": [

prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_maxsize_set/apiserver_audit_log_maxsize_set.metadata.json

@@ -1,27 +1,33 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_audit_log_maxsize_set",
-  "CheckTitle": "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate",
+  "CheckTitle": "API server pod has --audit-log-maxsize set to 100 MB or the configured value",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "This check ensures that the Kubernetes API server is configured with an appropriate audit log file size limit. Setting --audit-log-maxsize to 100 MB or as per business requirements helps manage the size of log files and prevents them from growing excessively large.",
-  "Risk": "Without an appropriate audit log file size limit, log files can grow excessively large, potentially leading to storage issues and difficulty in log analysis.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "Description": "**Kubernetes API server** uses `--audit-log-maxsize` to cap audit log files. The check expects `100 MB` or a policy-approved value, indicating rotation occurs when a log reaches that size.",
+  "Risk": "Absent a proper cap, audit logs can grow unchecked, exhausting disk and degrading API server **availability**. Oversized or unbounded logs impede **forensics** and may overwrite recent events during rotation, undermining **integrity** and accountability of audit evidence.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://docs.rke2.io/security/cis_self_assessment124",
+    "https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--audit-log-maxsize=100",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit the API server static pod manifest: sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml\n3. In spec.containers[0].command add (or set) this flag:\n   - --audit-log-maxsize=100\n4. Save and exit; the kubelet will restart the API server automatically\n5. Verify: ps aux | grep kube-apiserver | grep -- \"--audit-log-maxsize=100\"",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure the API server audit log file size limit to 100 MB or as per your organization's requirements.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Set `--audit-log-maxsize` to `100 MB` or your approved baseline to ensure predictable rotation.\n\nPair with sensible retention (`--audit-log-maxage`, `--audit-log-maxbackup`), forward to a central store, and monitor capacity. This enforces **defense in depth** and preserves reliable auditability.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_maxsize_set"
     }
   },
   "Categories": [

prowler/providers/kubernetes/services/apiserver/apiserver_audit_log_path_set/apiserver_audit_log_path_set.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "apiserver_audit_log_path_set",
-  "CheckTitle": "Ensure that the --audit-log-path argument is set",
+  "CheckTitle": "API server pod has --audit-log-path set",
   "CheckType": [],
   "ServiceName": "apiserver",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesAPIServer",
+  "ResourceType": "Pod",
   "ResourceGroup": "container",
-  "Description": "This check verifies that the Kubernetes API server is configured with an audit log path. Enabling audit logs helps in maintaining a chronological record of all activities and operations which can be critical for security analysis and troubleshooting.",
-  "Risk": "Without audit logs, it becomes difficult to track changes and activities within the cluster, potentially obscuring the detection of malicious activities or operational issues.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/cluster-administration/audit/",
+  "Description": "**Kubernetes API server** uses an **audit log path** configured via `--audit-log-path` on its containers to persist API request events",
+  "Risk": "Without a configured audit log path, API requests may not be recorded, weakening **accountability**. Gaps in logs hinder detection of unauthorized changes (**integrity**) and data access (**confidentiality**), and impede **forensics** and incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+    "https://kubernetes.io/docs/concepts/cluster-administration/audit/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--audit-log-path=/var/log/apiserver/audit.log",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set#kubernetes",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node\n2. Edit /etc/kubernetes/manifests/kube-apiserver.yaml\n3. Under the kube-apiserver container command args, add this line:\n   ```\n   - --audit-log-path=/var/log/apiserver/audit.log\n   ```\n4. Save the file; the kubelet will automatically restart the API server",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable audit logging in the API server by specifying a valid path for --audit-log-path to ensure comprehensive activity logging within the cluster.",
-      "Url": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/"
+      "Text": "Enable and harden **audit logging** by setting `--audit-log-path`. *If centralizing*, use a webhook backend. Define a focused audit policy, enforce **least privilege** to logs, rotate/retain them, forward to centralized monitoring, and regularly review events for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/apiserver_audit_log_path_set"
     }
   },
   "Categories": [
-    "logging"
+    "logging",
+    "forensics-ready"
   ],
   "DependsOn": [],
   "RelatedTo": [],