prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update Kubernetes Core service metadata to new format [(#9676)](https://github.com/prowler-cloud/prowler/pull/9676)
+
 
 ---
 

@@ -1,30 +1,40 @@
 {
   "Provider": "kubernetes",
   "CheckID": "core_minimize_admission_hostport_containers",
-  "CheckTitle": "Minimize the admission of containers which use HostPorts",
+  "CheckTitle": "Pod does not use HostPorts",
   "CheckType": [],
   "ServiceName": "core",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesPod",
-  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that require the use of HostPorts. This helps maintain network policy controls and reduce security risks.",
-  "Risk": "Permitting containers with HostPorts can bypass network policy controls, increasing the risk of unauthorized network access.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes Pods** are inspected for any container declaring `ports[].hostPort`. The finding highlights workloads that bind container ports directly to the node's network stack via **HostPorts**.",
+  "Risk": "Using **HostPorts** exposes Pods on node IPs outside centralized Service/Ingress controls. Attackers can directly probe and access workloads (**confidentiality/integrity**). Port conflicts or saturation on nodes can disrupt traffic (**availability**). Network segmentation and some policies may be less effective.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://artifacthub.io/packages/kyverno/kyverno-policies/disallow-host-ports",
+    "https://kyverno.io/policies/pod-security/baseline/disallow-host-ports/disallow-host-ports/",
+    "https://developer.squareup.com/blog/kubernetes-pod-security-policies/",
+    "https://github.com/chipzoller/kyverno-pss",
+    "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+    "https://www.armosec.io/glossary/pod-security-standards/",
+    "https://praneethreddybilakanti.medium.com/kubernetes-security-8af03eb1d11d"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_25#kubernetes",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "",
+      "Other": "1. Open your Kubernetes Dashboard and go to Workloads\n2. Select the affected Deployment/DaemonSet/StatefulSet (or Pod) and click Edit\n3. In the YAML, remove every `hostPort` field under `spec.template.spec.containers[].ports[]` (or `spec.containers[]` for a standalone Pod)\n4. Save the changes; allow the workload to restart\n5. Verify the new Pods have no `hostPort` defined",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata { name = \"<example_resource_name>\" }\n  spec {\n    container {\n      name  = \"<example_resource_name>\"\n      image = \"nginx\"\n      # Critical: do NOT set host_port; omitting it ensures no host port is used\n      port { container_port = 80 }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Limit the use of HostPorts in Kubernetes containers to maintain network security.",
-      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+      "Text": "Avoid `hostPort`; publish services via **ClusterIP** with **Ingress/LoadBalancer**. Enforce admission policies to deny `hostPort` by default, permitting only a narrowly justified allowlist. Apply **least privilege** network rules, segment nodes, and monitor for unexpected host port bindings as **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/core_minimize_admission_hostport_containers"
     }
   },
   "Categories": [
-    "internet-exposed"
+    "internet-exposed",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,26 +1,33 @@
 {
   "Provider": "kubernetes",
   "CheckID": "core_minimize_admission_windows_hostprocess_containers",
-  "CheckTitle": "Minimize the admission of Windows HostProcess Containers",
+  "CheckTitle": "Pod does not allow Windows HostProcess containers",
   "CheckType": [],
   "ServiceName": "core",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesPod",
-  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of Windows containers with the hostProcess flag set to true, thus reducing the risk of privilege escalation and security breaches.",
-  "Risk": "Allowing Windows containers with hostProcess can lead to increased security risks due to privileged access to Windows nodes.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/",
+  "ResourceType": "Pod",
+  "Description": "Pods are evaluated for Windows settings where `securityContext.windowsOptions.hostProcess` is set to `true`, indicating they can run **Windows HostProcess containers**.",
+  "Risk": "Enabling **HostProcess** grants containers direct access to the Windows node, eroding isolation. Attackers can read node data, tamper with services, capture credentials, and pivot across the cluster, impacting **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kyverno.io/policies/pod-security/baseline/disallow-host-process/disallow-host-process/",
+    "https://github.com/kubernetes/enhancements/issues/2579",
+    "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/",
+    "https://hub.armosec.io/docs/c-0202",
+    "https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_1#kubernetes",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "",
+      "Other": "1. Open your Kubernetes GUI (for example, Kubernetes Dashboard)\n2. Go to Workloads > Deployments/DaemonSets/StatefulSets (edit the owner of the Pod, not the Pod itself)\n3. Select the workload that creates the failing Pod and click Edit\n4. For each affected container, set: securityContext.windowsOptions.hostProcess to false (or remove the hostProcess field)\n5. Save the change to trigger a rollout; new Pods will be created without HostProcess\n6. Verify new Pods no longer contain securityContext.windowsOptions.hostProcess: true",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata { name = \"<example_resource_name>\" }\n  spec {\n    container {\n      name  = \"<example_container_name>\"\n      image = \"busybox\"\n      security_context {\n        windows_options {\n          host_process = false  # critical: disables Windows HostProcess for this container\n        }\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict the use of Windows HostProcess containers unless essential for their operation.",
-      "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/"
+      "Text": "Disallow `hostProcess:true` by default using policy-based admission aligned with **Pod Security Standards**. Permit only in tightly controlled contexts; apply **least privilege**, dedicated namespaces, and restricted service accounts; enforce **separation of duties** and monitor usage.",
+      "Url": "https://hub.prowler.com/check/core_minimize_admission_windows_hostprocess_containers"
     }
   },
   "Categories": [

@@ -1,26 +1,34 @@
 {
   "Provider": "kubernetes",
   "CheckID": "core_minimize_allowPrivilegeEscalation_containers",
-  "CheckTitle": "Minimize the admission of containers with allowPrivilegeEscalation",
+  "CheckTitle": "Pod does not allow privilege escalation in any container",
   "CheckType": [],
   "ServiceName": "core",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesPod",
-  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers that have the allowPrivilegeEscalation flag set to true, preventing processes within containers from gaining additional privileges.",
-  "Risk": "Allowing containers with allowPrivilegeEscalation can lead to elevated privileges within the container's context, posing a security risk.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "ResourceType": "Pod",
+  "Description": "**Kubernetes pods** are evaluated for containers that enable `allowPrivilegeEscalation`. The finding highlights pods where any container permits processes to gain extra privileges; pods whose containers set `allowPrivilegeEscalation: false` are noted as not allowing escalation.",
+  "Risk": "Allowing privilege escalation lets processes acquire elevated rights, undermining container isolation. Attackers can abuse setuid paths and capabilities to tamper with workloads (**integrity**), read sensitive data (**confidentiality**), pivot within the cluster, or disrupt services (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
+    "https://docs.starlingx.io/r/stx.7.0/security/kubernetes/pod-security-admission-controller-8e9e6994100f.html",
+    "https://www.apptio.com/topics/kubernetes/best-practices/pod-security-admission/",
+    "https://support.icompaas.com/support/solutions/articles/62000234205-minimize-the-admission-of-containers-with-allowprivilegeescalation",
+    "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+    "https://www.wiz.io/academy/kubernetes-security-context-best-practices"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_19#kubernetes",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "",
+      "Other": "1. Open your Kubernetes Dashboard (or your cloud provider's Kubernetes console) and locate the workload managing the failing Pod (Deployment/StatefulSet/DaemonSet)\n2. Click Edit to modify the manifest (YAML)\n3. For each container with securityContext.allowPrivilegeEscalation: true, set it to false (or add allowPrivilegeEscalation: false under securityContext)\n4. Save/Apply the changes to trigger a rollout\n5. Verify new Pods have securityContext.allowPrivilegeEscalation set to false",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"main\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  spec {\n    container {\n      name  = \"app\"\n      image = \"nginx\"\n      security_context {\n        allow_privilege_escalation = false # Critical: explicitly disable privilege escalation for the container\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict the use of allowPrivilegeEscalation in containers through admission control policies.",
-      "Url": "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"
+      "Text": "Set `allowPrivilegeEscalation: false` by default and apply **least privilege**:\n- run as non-root; drop caps (`drop: [\"ALL\"]`)\n- avoid `privileged`; use `readOnlyRootFilesystem`\n- enforce via namespace admission policies (e.g., PSA/OPA) and monitor exceptions",
+      "Url": "https://hub.prowler.com/check/core_minimize_allowPrivilegeEscalation_containers"
     }
   },
   "Categories": [

@@ -1,26 +1,29 @@
 {
   "Provider": "kubernetes",
   "CheckID": "core_minimize_containers_added_capabilities",
-  "CheckTitle": "Minimize the admission of containers with added capabilities",
+  "CheckTitle": "Pod has no containers with added capabilities",
   "CheckType": [],
   "ServiceName": "core",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesPod",
-  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with capabilities assigned beyond the default set, mitigating the risks of container breakout attacks.",
-  "Risk": "Allowing containers with additional capabilities increases the risk of security breaches and container breakout attacks.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "ResourceType": "Pod",
+  "Description": "Kubernetes Pods and containers are evaluated for **added Linux capabilities** via `capabilities.add` in their security context; presence of added entries indicates elevated privileges beyond defaults.",
+  "Risk": "Extra capabilities expand the container's kernel-level permissions, enabling actions like raw socket use, file ownership changes, and mount operations. Compromise could enable node access, lateral movement, or tampering with workloads, impacting **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "kubectl patch deployment <example_resource_name> -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"<example_resource_name>\",\"securityContext\":{\"capabilities\":{\"add\":[]}}}]}}}}'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Open the manifest for the workload creating the Pod (e.g., Deployment/StatefulSet/DaemonSet)\n2. In spec.template.spec.containers[*].securityContext.capabilities, delete all 'add' entries (remove the entire 'add' list)\n3. Save and apply the change (kubectl apply or use your GitOps pipeline); the controller will roll out updated Pods\n4. If it is a standalone Pod, delete and recreate it without the capabilities.add field",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  spec {\n    container {\n      name  = \"<example_resource_name>\"\n      image = \"nginx\"\n      # Critical: do not set security_context.capabilities.add\n      # This ensures no added Linux capabilities, making the check PASS.\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict the addition of extra capabilities to containers through admission control policies.",
-      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+      "Text": "Apply **least privilege**: require containers to `drop: ALL` and avoid `capabilities.add` except when strictly justified (e.g., `NET_BIND_SERVICE`). Enforce with **admission policies** and separation of duties. Combine with **seccomp/AppArmor** and non-root execution for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/core_minimize_containers_added_capabilities"
     }
   },
   "Categories": [

@@ -1,26 +1,29 @@
 {
   "Provider": "kubernetes",
   "CheckID": "core_minimize_containers_capabilities_assigned",
-  "CheckTitle": "Minimize the admission of containers with capabilities assigned",
+  "CheckTitle": "Pod containers have no added Linux capabilities and include capability drops when capabilities are defined",
   "CheckType": [],
   "ServiceName": "core",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesPod",
-  "Description": "This check ensures that Kubernetes clusters are configured to minimize the admission of containers with Linux capabilities assigned, adhering to the principle of least privilege and reducing the risk of privilege escalation.",
-  "Risk": "Assigning unnecessary Linux capabilities to containers increases the risk of privilege escalation and security breaches.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/pod-security-standards/",
+  "ResourceType": "Pod",
+  "Description": "Pods are inspected for container **Linux capabilities**. A finding occurs when any container sets capabilities in `add` or does not fully `drop` them (e.g., missing `ALL`), indicating capabilities are assigned instead of removed.",
+  "Risk": "Retained or added **Linux capabilities** enable privilege escalation and container escape.\n- Confidentiality: packet capture and secret access\n- Integrity: filesystem mounts or process tampering\n- Availability: killing services or altering networking",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/bc_k8s_34#kubernetes",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "kubectl patch deployment <DEPLOYMENT_NAME> -n <NAMESPACE> --type=merge -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"<CONTAINER_NAME>\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"],\"add\":[]}}}]}}}}'",
+      "NativeIaC": "",
+      "Other": "1. Open your Kubernetes UI (e.g., Kubernetes Dashboard or your cloud provider's console)\n2. Navigate to the workload (Deployment/StatefulSet/DaemonSet) that runs the failing Pod\n3. Click Edit YAML (or equivalent)\n4. For each affected container, set:\n   - spec.template.spec.containers[].securityContext.capabilities.drop: [\"ALL\"]\n   - Ensure spec.template.spec.containers[].securityContext.capabilities.add is removed or set to an empty list\n5. Save to apply and trigger a rollout",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata { name = \"<example_resource_name>\" }\n  spec {\n    container {\n      name  = \"<example_resource_name>\"\n      image = \"nginx:stable-alpine\"\n      security_context {\n        capabilities {\n          drop = [\"ALL\"] # Critical: drop all Linux capabilities to satisfy the check\n          # No 'add' specified to ensure no capabilities are added\n        }\n      }\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict the assignment of Linux capabilities to containers unless essential for their operation.",
-      "Url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
+      "Text": "Apply **least privilege**: drop `ALL` capabilities and avoid using `add`.\n\nOnly reintroduce a minimal capability when absolutely required, and isolate such pods via defense-in-depth: strict RBAC, `seccomp` RuntimeDefault, AppArmor, network policies, dedicated namespaces/nodes, and admission controls to enforce policy.",
+      "Url": "https://hub.prowler.com/check/core_minimize_containers_capabilities_assigned"
     }
   },
   "Categories": [