prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update Kubernetes Kubelet service metadata to new format [(#9677)](https://github.com/prowler-cloud/prowler/pull/9677)
+
 
 ---
 

@@ -1,30 +1,38 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_authorization_mode",
-  "CheckTitle": "Ensure that the kubelet --authorization-mode argument is not set to AlwaysAllow",
+  "CheckTitle": "Kubelet --authorization-mode is not set to AlwaysAllow",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesKubelet",
-  "Description": "This check ensures that kubelets are not set to use the 'AlwaysAllow' authorization mode, which would allow all authenticated requests without explicit authorization.",
-  "Risk": "Setting --authorization-mode to AlwaysAllow can lead to unauthorized access to kubelet services.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/",
+  "ResourceType": "ConfigMap",
+  "Description": "**Kubelet** authorization configuration is inspected to confirm the mode is not `AlwaysAllow`.\n\n*If authorization settings are absent, the effective mode requires manual verification.*",
+  "Risk": "With `AlwaysAllow`, any authenticated user (or anonymous if enabled) can call **kubelet APIs**. This enables reading logs and stats, running `exec`, or disrupting pods, leading to takeover, data exfiltration, and node abuse, degrading **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kubelet/",
+    "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/",
+    "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization",
+    "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--authorization-mode=Webhook",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. In your cluster admin shell, run: kubectl -n kube-system edit configmap kubelet-config-<version>\n2. In the opened YAML, set the authorization mode to Webhook (add if missing):\n   authorization:\n     mode: Webhook\n3. Save and exit. Re-run the scan to confirm the finding is now PASS.",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure kubelet is configured with an authorization mode other than AlwaysAllow.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization"
+      "Text": "Use kubelet authorization mode `Webhook` so decisions defer to **RBAC**. Apply **least privilege** on node subresources, disable anonymous access, and restrict network exposure of the kubelet endpoint. Employ **defense in depth** with TLS and audit to monitor and control access.",
+      "Url": "https://hub.prowler.com/check/kubelet_authorization_mode"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,37 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_client_ca_file_set",
-  "CheckTitle": "Ensure that the kubelet --client-ca-file argument is set as appropriate",
+  "CheckTitle": "Kubelet has a client CA file configured for authentication",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesKubelet",
-  "Description": "This check verifies that the kubelet is configured with the --client-ca-file argument to enable authentication using certificates. This configuration is essential to secure the connections from the apiserver to the kubelet.",
-  "Risk": "If --client-ca-file is not set, the apiserver cannot authenticate the kubelet, potentially leading to man-in-the-middle attacks.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/",
+  "ResourceType": "ConfigMap",
+  "Description": "**Kubelet** is evaluated for X.509 client certificate authentication by checking if its config sets `authentication.x509.clientCAFile` to validate clients on the HTTPS endpoint.",
+  "Risk": "Without a **client CA**, the kubelet cannot verify client certificates, weakening authentication. With network access, attackers could impersonate trusted clients to read pod logs/stats or perform node/pod actions, impacting confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization",
+    "https://hatchjs.com/kubelet-failed-to-load-kubelet-config-file/",
+    "https://discuss.kubernetes.io/t/kubelet-service-fail-to-start/26728",
+    "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--client-ca-file=/path/to/ca-file",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. On each node, open the kubelet config file used by the --config flag (commonly /var/lib/kubelet/config.yaml).\n2. Add or update this setting to provide a client CA bundle path:\n   ```yaml\n   authentication:\n     x509:\n       clientCAFile: <path_to_ca_file>\n   ```\n3. Save and restart kubelet: `sudo systemctl restart kubelet`",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Configure Kubelet with a client CA file for secure authentication.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization"
+      "Text": "Enforce **mutual TLS** to the kubelet by providing a trusted `clientCAFile`.\n- Disable anonymous access\n- Delegate authorization to the API server with least-privilege RBAC\n- Restrict network exposure to the kubelet\n- Rotate certificates and monitor access\n\n*Use defense-in-depth across authn and authz.*",
+      "Url": "https://hub.prowler.com/check/kubelet_client_ca_file_set"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "cluster-security",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,26 +1,34 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_conf_file_ownership",
-  "CheckTitle": "Ensure kubelet.conf file ownership is set to root:root",
+  "CheckTitle": "Node kubelet.conf file ownership is set to root:root",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesWorkerNode",
-  "Description": "Ensure that the kubelet.conf file, which is the kubeconfig file for the node, has its file ownership set to root:root. This check verifies the proper ownership settings to maintain the security and integrity of the node's configuration.",
-  "Risk": "Incorrect file ownership settings on kubelet.conf can lead to unauthorized access and potential security vulnerabilities.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/",
+  "ResourceType": "Node",
+  "Description": "**Node kubeconfig** at `/etc/kubernetes/kubelet.conf` is evaluated for file ownership `root:root`. The check focuses on who owns the file that defines the kubelet's API client settings and certificates.",
+  "Risk": "Non-root ownership lets local users alter kubelet API credentials and endpoints, enabling **node impersonation**, unauthorized control of Pods, and **data exfiltration** via the kubelet. This threatens **integrity** (config tampering), **confidentiality** (secrets access), and **availability** (pod eviction or node disruption).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/",
+    "https://stackarmor.com/securing-kubernetes-for-compliance-with-fedramp-fisma-or-cmmc-requirements/",
+    "https://blog.palark.com/kubernetes-security-with-kube-bench-and-kube-hunter/",
+    "https://learn.microsoft.com/en-us/azure/aks/cis-kubernetes",
+    "https://www.bordergate.co.uk/kubernetes-penetration-testing/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "chown root:root /etc/kubernetes/kubelet.conf",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH into the affected node\n2. Run: sudo chown root:root /etc/kubernetes/kubelet.conf",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure kubelet.conf file ownership is correctly set to protect the node's configuration.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+      "Text": "Set `/etc/kubernetes/kubelet.conf` ownership to `root:root` and use restrictive perms (e.g., `600`). Apply **least privilege** on node access, protect kubelet dirs, and enable **file integrity monitoring**. Use **defense in depth**: configuration management to enforce state and periodic audits to detect drift.",
+      "Url": "https://hub.prowler.com/check/kubelet_conf_file_ownership"
     }
   },
   "Categories": [

@@ -1,26 +1,30 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_conf_file_permissions",
-  "CheckTitle": "Ensure kubelet.conf file permissions are set to 600 or more restrictive",
+  "CheckTitle": "Node kubelet.conf file permissions are set to 600 or more restrictive",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesWorkerNode",
-  "Description": "Ensure that the kubelet.conf file, which is the kubeconfig file for the node, has permissions set to 600 or more restrictive. This ensures the integrity and security of the node's configuration.",
-  "Risk": "Improper permissions on kubelet.conf can expose sensitive configuration data, potentially leading to cluster security compromises.",
-  "RelatedUrl": "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/",
+  "ResourceType": "Node",
+  "Description": "**Kubelet kubeconfig** at `/etc/kubernetes/kubelet.conf` must have **owner-only** permissions (`0600` or stricter). The check evaluates the file mode to ensure it is not more permissive than `0600`.",
+  "Risk": "**Overly permissive `kubelet.conf`** exposes kubelet credentials, allowing local users or malware to act as the node.\n- Integrity: modify workloads or node state\n- Confidentiality: access secrets/metadata\n- Availability: disrupt scheduling or drain nodes",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "chmod 600 /etc/kubernetes/kubelet.conf",
+      "CLI": "sudo chmod 600 /etc/kubernetes/kubelet.conf",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH into the node running kubelet\n2. Set restrictive permissions:\n   ```\n   sudo chmod 600 /etc/kubernetes/kubelet.conf\n   ```\n3. Verify it reads 600:\n   ```\n   stat -c \"%a %n\" /etc/kubernetes/kubelet.conf\n   ```",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure kubelet.conf file permissions are correctly set to protect the node's configuration.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+      "Text": "Apply **least privilege** to `/etc/kubernetes/kubelet.conf`:\n- Set permissions to `0600` or stricter\n- Restrict ownership to the kubelet user; no group/world access\n- Limit shell access and monitor file changes\n- Layer controls with **RBAC** and certificate/key rotation",
+      "Url": "https://hub.prowler.com/check/kubelet_conf_file_permissions"
     }
   },
   "Categories": [

@@ -1,30 +1,37 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_config_yaml_ownership",
-  "CheckTitle": "Validate kubelet config.yaml File Ownership",
+  "CheckTitle": "Node kubelet config.yaml file ownership is root:root",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesWorkerNode",
-  "Description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root. The kubelet config file contains various critical parameters for the kubelet service on worker nodes, and its ownership should be strictly controlled.",
-  "Risk": "Improper file ownership on kubelet config.yaml can expose sensitive data or allow unauthorized modifications.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/",
+  "ResourceType": "Node",
+  "Description": "**Kubelet** configuration file `config.yaml` (e.g., `/var/lib/kubelet/config.yaml`) is evaluated to confirm ownership by `root:root` when the kubelet uses a config file via `--config`.",
+  "Risk": "**Non-root ownership** of kubelet `config.yaml` enables local users or daemons to alter node-agent settings, affecting confidentiality, integrity, and availability. They could weaken authN/Z, enable insecure ports, or redirect certificate paths, leading to node takeover, lateral movement, data exfiltration, and workload disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.icompaas.com/support/solutions/articles/62000234742-if-the-kubelet-config-yaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-r",
+    "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/",
+    "https://www.tenable.com/audits/items/CIS_Kubernetes_v1.10.0_Level_1_Worker.audit:64df71090138c3971f7c99863f3528c5",
+    "https://paper.bobylive.com/Security/CIS/CIS_Kubernetes_Benchmark_v1_6_0.pdf"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "chown root:root /var/lib/kubelet/config.yaml",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH into the Kubernetes node running the kubelet\n2. Set ownership to root:root:\n   ```bash\n   sudo chown root:root /var/lib/kubelet/config.yaml\n   ```",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Secure the kubelet configuration by enforcing strict file ownership.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+      "Text": "Enforce `root:root` ownership with restrictive permissions on the kubelet config. Apply **least privilege** and **separation of duties** so only trusted admins/processes can write. Use centralized, immutable configuration, monitor with integrity/audit logs, and limit interactive access to nodes for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/kubelet_config_yaml_ownership"
     }
   },
   "Categories": [
-    "node-security"
+    "node-security",
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,26 +1,29 @@
 {
   "Provider": "kubernetes",
   "CheckID": "kubelet_config_yaml_permissions",
-  "CheckTitle": "Validate kubelet config.yaml File Permissions",
+  "CheckTitle": "Kubelet config.yaml file permissions on the node are set to 600 or more restrictive",
   "CheckType": [],
   "ServiceName": "kubelet",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "KubernetesWorkerNode",
-  "Description": "Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive. The kubelet config file contains various critical parameters for the kubelet service on worker nodes, and its permissions should be strictly controlled.",
-  "Risk": "Improper file permissions on kubelet config.yaml can expose sensitive data or allow unauthorized modifications.",
-  "RelatedUrl": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/",
+  "ResourceType": "Node",
+  "Description": "**Kubelet configuration file** (`/var/lib/kubelet/config.yaml`) is evaluated for **restrictive file permissions**. When kubelet uses `--config`, the file is expected to be owner-only readable/writable (`600`) or more restrictive.",
+  "Risk": "Overly permissive kubelet config permissions allow unauthorized reads or edits. Attackers could extract credentials, adjust auth settings, or change node behavior, leading to data exposure (C), configuration tampering (I), and potential service disruption (A).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "chmod 600 /var/lib/kubelet/config.yaml",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. SSH into the affected node with sufficient privileges\n2. Set the file permission:\n   ```bash\n   sudo chmod 600 /var/lib/kubelet/config.yaml\n   ```\n3. Verify:\n   ```bash\n   stat -c \"%a\" /var/lib/kubelet/config.yaml\n   # should output: 600\n   ```",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Secure the kubelet configuration by enforcing strict file permissions.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/"
+      "Text": "Apply **least privilege** to the kubelet config:\n- Set mode `600` or stricter\n- Ensure trusted ownership; deny group/world access\n- Harden the parent directory\n- Enforce via config management and file integrity monitoring\n- Limit interactive access to worker nodes",
+      "Url": "https://hub.prowler.com/check/kubelet_config_yaml_permissions"
     }
   },
   "Categories": [