chore(kubernetes): enhance metadata for etcd service (#9096)

Co-authored-by: Daniel Barranquero <[email protected]>

Author: puchy22

prowler/CHANGELOG.md

@@ -33,6 +33,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
 - Update AWS Elastic Beanstalk service metadata to new format [(#8934)](https://github.com/prowler-cloud/prowler/pull/8934)
 - Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
+- Update Kubernetes etcd service metadata to new format [(#9096)](https://github.com/prowler-cloud/prowler/pull/9096)
 - Update MongoDB Atlas projects service metadata to new format [(#9093)](https://github.com/prowler-cloud/prowler/pull/9093)
 - Update GitHub Organization service metadata to new format [(#9094)](https://github.com/prowler-cloud/prowler/pull/9094)
 - Update AWS CodeBuild service metadata to new format [(#8851)](https://github.com/prowler-cloud/prowler/pull/8851)
@@ -55,7 +56,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
 - Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
 
-
 ---
 
 ## [v5.13.2] (Prowler UNRELEASED)

prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "etcd_client_cert_auth",
-  "CheckTitle": "Ensure that the --client-cert-auth argument is set to true for etcd",
+  "CheckTitle": "Etcd pod has client certificate authentication enabled (--client-cert-auth=true)",
   "CheckType": [],
   "ServiceName": "etcd",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "EtcdService",
-  "Description": "This check ensures that client authentication is enabled for the etcd service, which is a key-value store used by Kubernetes for persistent storage of all REST API objects. Enabling client authentication helps in securing access to etcd.",
-  "Risk": "If --client-cert-auth is not set to true, etcd service may be accessible by unauthenticated clients, posing a significant security risk.",
-  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "ResourceType": "Pod",
+  "Description": "**Etcd** is configured to require **TLS client certificate authentication** when the etcd container includes `--client-cert-auth`, so client access is validated with trusted certificates.",
+  "Risk": "Without **mTLS client auth**, any reachable client can query or mutate etcd:\n- Confidentiality: exposure of Secrets and cluster metadata\n- Integrity: tampering with RBAC, pods, and configs\n- Availability: destructive writes can disrupt the control plane",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://etcd.io/docs/latest/op-guide/security/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--client-cert-auth=true",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-client-cert-auth-argument-is-set-to-true",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node that runs etcd\n2. Edit the static pod manifest: /etc/kubernetes/manifests/etcd.yaml\n3. Under spec.containers[0].command (or args), add:\n   ```\n   - --client-cert-auth=true  # Critical: enables client certificate authentication\n   ```\n4. Save the file; kubelet will restart the etcd pod automatically\n5. Repeat on each control-plane node hosting an etcd pod",
+      "Terraform": "```hcl\n# Enable client certificate authentication on etcd\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata {\n    name      = \"<example_resource_name>\"\n    namespace = \"kube-system\"\n  }\n  spec {\n    container {\n      name  = \"etcd\"\n      image = \"gcr.io/etcd-development/etcd:v3.5.13\"\n      command = [\n        \"etcd\",\n        \"--client-cert-auth=true\" # Critical: enables client cert auth to pass the check\n      ]\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Enable client certificate authentication for the etcd service for improved security.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+      "Text": "Enforce **mutual TLS** for etcd clients by requiring validated certificates (`--client-cert-auth=true`) issued by a trusted CA.\n\nRestrict network access to etcd to API servers, rotate keys regularly, and apply **least privilege** and **separation of duties** for certificate management.",
+      "Url": "https://hub.prowler.com/check/etcd_client_cert_auth"
     }
   },
   "Categories": [
-    "encryption",
-    "trustboundaries"
+    "cluster-security",
+    "identity-access",
+    "encryption"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "etcd_no_auto_tls",
-  "CheckTitle": "Ensure that the --auto-tls argument is not set to true for etcd",
+  "CheckTitle": "Etcd pod has --auto-tls disabled",
   "CheckType": [],
   "ServiceName": "etcd",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "EtcdService",
-  "Description": "This check ensures that etcd does not use self-signed certificates for TLS, which are less secure than certificates from a trusted authority. Avoiding self-signed certificates enhances the security of etcd.",
-  "Risk": "Using --auto-tls=true may result in the use of self-signed certificates, reducing the overall security of the etcd service.",
-  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "ResourceType": "Pod",
+  "Description": "**Etcd** configuration is reviewed for the `--auto-tls` option, which enables automatically generated self-signed certificates for client TLS.\n\nPresence of this flag indicates self-signed TLS is used; absence indicates client TLS relies on externally managed certificates.",
+  "Risk": "Using **self-signed auto TLS** weakens identity assurance, enabling spoofed endpoints and **man-in-the-middle** on etcd client traffic. Attackers could read or alter Kubernetes state in etcd, impacting **confidentiality** and **integrity**, and facilitating control-plane takeover or data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/",
+    "https://etcd.io/docs/latest/op-guide/security/",
+    "https://etcd.io/docs/v3.2/op-guide/security/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--auto-tls=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-auto-tls-argument-is-not-set-to-true",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node running etcd\n2. Edit the static Pod manifest: sudo vi /etc/kubernetes/manifests/etcd.yaml\n3. In containers -> command or args, remove any occurrence of --auto-tls or --auto-tls=true (do not set it to false)\n4. Save and exit; kubelet will recreate the etcd pod automatically\n5. Verify the flag is absent: kubectl -n kube-system get pod -l component=etcd -o yaml | grep -q \"auto-tls\" || echo \"PASS: --auto-tls not set\"",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure etcd is not using self-signed certificates for TLS.",
-      "Url": "https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/"
+      "Text": "Disable `--auto-tls` and use **CA-signed certificates** with **mutual TLS** for etcd clients. Apply managed PKI to enforce trusted CAs, rotate and revoke keys, and prefer modern TLS versions and strong cipher suites. Monitor certificate expiry and limit access per **least privilege** for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/etcd_no_auto_tls"
     }
   },
   "Categories": [
     "encryption",
-    "internet-exposed"
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "etcd_no_peer_auto_tls",
-  "CheckTitle": "Ensure that the --peer-auto-tls argument is not set to true for etcd",
+  "CheckTitle": "Etcd pod does not use automatically generated self-signed certificates for peer TLS connections",
   "CheckType": [],
   "ServiceName": "etcd",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "EtcdService",
-  "Description": "This check ensures that etcd is not configured to use automatically generated self-signed certificates for TLS connections between peers. Using self-signed certificates for peer authentication is discouraged in a production environment.",
-  "Risk": "Using self-signed certificates can lead to insecure communications between etcd peers, compromising data security.",
-  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "ResourceType": "Pod",
+  "Description": "**Etcd peer TLS** configuration is evaluated by checking etcd containers for the `--peer-auto-tls` flag. Presence of `--peer-auto-tls` indicates peers use automatically generated self-signed certificates for inter-peer connections.",
+  "Risk": "With `--peer-auto-tls`, traffic is encrypted but peer identity isn't verified, enabling:\n- MITM on peer links\n- Rogue member joins to read/modify data\n- Quorum disruption\n\nThis degrades **confidentiality**, **integrity**, and **availability** of control-plane state replicated in etcd.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://etcd.io/docs/latest/op-guide/security/",
+    "https://etcd.io/docs/v3.4/op-guide/security/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--peer-auto-tls=false",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-auto-tls-argument-is-not-set-to-true",
-      "Other": "",
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control-plane node running etcd\n2. Open /etc/kubernetes/manifests/etcd.yaml\n3. In the etcd container args/command, remove any entry that starts with --peer-auto-tls\n4. Save the file; the kubelet will restart etcd automatically",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure etcd is not using automatically generated self-signed certificates for peer TLS connections.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
+      "Text": "Disable `--peer-auto-tls` and use **mTLS** with a trusted CA issuing unique per-member peer certificates. Enforce SAN validation and, *where supported*, peer certificate authentication. Apply **least privilege**, separate CAs for peers/clients, rotate keys, and monitor certificate expiry and peer membership.",
+      "Url": "https://hub.prowler.com/check/etcd_no_peer_auto_tls"
     }
   },
   "Categories": [
     "encryption",
-    "internet-exposed"
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json

@@ -1,31 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "etcd_peer_client_cert_auth",
-  "CheckTitle": "Ensure that the --peer-client-cert-auth argument is set to true for etcd",
+  "CheckTitle": "Etcd pod has peer client certificate authentication enabled",
   "CheckType": [],
   "ServiceName": "etcd",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "EtcdService",
-  "Description": "This check ensures that etcd is configured for peer authentication by verifying that the --peer-client-cert-auth argument is set to true. This configuration is crucial to ensure that etcd peers in the cluster are authenticated and secure.",
-  "Risk": "Failing to configure peer client authentication can lead to unauthorized access to the etcd cluster, compromising sensitive data.",
-  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "ResourceType": "Pod",
+  "Description": "**Etcd** requires **peer client certificate authentication** for inter-member traffic via `--peer-client-cert-auth=true` set in the etcd container command",
+  "Risk": "Without peer authentication, a rogue host can impersonate a member, eavesdrop on or alter Raft traffic, inject state, and disrupt elections-compromising **confidentiality** (state leakage), **integrity** (malicious writes), and **availability** (cluster instability/outage).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://etcd.io/docs/latest/op-guide/security/",
+    "https://etcd.io/docs/v3.6/op-guide/configuration/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--peer-client-cert-auth=true",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-client-cert-auth-argument-is-set-to-true",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control-plane node\n2. Edit the etcd static Pod manifest: /etc/kubernetes/manifests/etcd.yaml\n3. In spec.containers[0].command, add this entry:\n   - --peer-client-cert-auth=true\n   (Critical: enables peer client certificate authentication)\n4. Save the file; the kubelet will automatically restart the etcd Pod\n5. Verify the Pod's container command includes --peer-client-cert-auth=true",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata {\n    name      = \"<example_resource_name>\"\n    namespace = \"kube-system\"\n  }\n  spec {\n    container {\n      name    = \"etcd\"\n      image   = \"registry.k8s.io/etcd:3.5.12-0\"\n      command = [\n        \"etcd\",\n        \"--peer-client-cert-auth=true\"  # Critical: enables peer client certificate authentication for peer traffic\n      ]\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure etcd is configured for peer client certificate authentication.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
+      "Text": "Enforce **mTLS** for etcd peers with client certificate auth. Use a dedicated CA, validate SANs, and apply **least privilege** to issued certs. Rotate and revoke certificates regularly, restrict network access to peer ports, and avoid auto-generated self-signed peer TLS to maintain strong identity assurance.",
+      "Url": "https://hub.prowler.com/check/etcd_peer_client_cert_auth"
     }
   },
   "Categories": [
-    "encryption",
-    "internet-exposed"
+    "cluster-security",
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json

@@ -1,31 +1,35 @@
 {
   "Provider": "kubernetes",
   "CheckID": "etcd_peer_tls_config",
-  "CheckTitle": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate for etcd",
+  "CheckTitle": "Etcd pod uses TLS for peer connections",
   "CheckType": [],
   "ServiceName": "etcd",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "EtcdService",
-  "Description": "This check ensures that etcd is configured to use TLS encryption for peer connections, which is crucial for securing sensitive data stored in etcd. It verifies the presence of peer certificate and key file arguments in etcd configuration.",
-  "Risk": "Not configuring TLS for peer connections in etcd can lead to potential data breaches and unauthorized access.",
-  "RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
+  "ResourceType": "Pod",
+  "Description": "**Etcd peer communication** is treated as secure when **TLS** is configured with a peer certificate and key (e.g., `--peer-cert-file` and `--peer-key-file`). The assessment inspects etcd containers for these options to determine whether server-to-server traffic is encrypted and authenticated.",
+  "Risk": "Without **TLS** on peer links, attackers can intercept or alter Raft traffic, enabling node impersonation and **consensus manipulation**. This endangers **confidentiality** (exposed cluster state), **integrity** (tampered writes), and **availability** (quorum disruption), cascading into control-plane instability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://etcd.io/docs/latest/op-guide/security/",
+    "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-communication"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "--peer-client-file=</path/to/peer-cert-file> --peer-key-file=</path/to/peer-key-file>",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-cert-file-and-peer-key-file-arguments-are-set-as-appropriate",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. SSH to the control plane node running etcd\n2. Open /etc/kubernetes/manifests/etcd.yaml\n3. Under spec.containers[0].command add:\n   - --peer-cert-file=</path/to/peer-cert-file>\n   - --peer-key-file=</path/to/peer-key-file>\n4. Save the file; kubelet will restart the etcd Pod automatically\n5. Verify the etcd container command includes both flags",
+      "Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  spec {\n    container {\n      name  = \"etcd\"\n      image = \"quay.io/coreos/etcd:latest\"\n      command = [\n        \"etcd\",\n        \"--peer-cert-file=</path/to/peer-cert-file>\", # Critical: enables TLS for peer connections\n        \"--peer-key-file=</path/to/peer-key-file>\"   # Critical: key for the peer TLS cert\n      ]\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Secure etcd peer connections with TLS encryption.",
-      "Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-communication"
+      "Text": "Enforce **TLS** for etcd peer communication with unique certificates per member and mutual authentication. Apply strong cipher suites and modern protocol versions, rotate keys, and separate CAs for peers and clients. Limit network access to peer ports to trusted nodes, following **least privilege** and **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/etcd_peer_tls_config"
     }
   },
   "Categories": [
     "encryption",
-    "internet-exposed"
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],