diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego
index f1c776ba..28674387 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode.rego
@@ -19,16 +19,16 @@ package builtin.kubernetes.KCV0007
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
 	regex.match("AlwaysAllow", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --authorization-mode argument is not set to AlwaysAllow"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego
index 200902e4..64a5ccc3 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node.rego
@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0008
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--authorization-mode")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--authorization-mode")
+	some i
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
+	regex.match("Node", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--authorization-mode")
 	some i
-	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
-	not regex.match("Node", output[0][1])
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
+	regex.match("Node", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --authorization-mode argument includes Node"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego
index 3b560472..ec3c53c1 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_node_test.rego
@@ -42,6 +42,28 @@ test_authorization_mode_includes_node {
 	count(r) == 0
 }
 
+test_authorization_mode_includes_node_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=RBAC,Node", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_default_value {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego
index 00540238..31390062 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac.rego
@@ -19,21 +19,24 @@ package builtin.kubernetes.KCV0009
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--authorization-mode")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--authorization-mode")
+	some i
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
+	regex.match("RBAC", output[0][1])
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--authorization-mode")
 	some i
-	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.command[i], -1)
-	not regex.match("RBAC", output[0][1])
+	output := regex.find_all_string_submatch_n(`--authorization-mode=([^\s]+)`, container.args[i], -1)
+	regex.match("RBAC", output[0][1])
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --authorization-mode argument includes RBAC"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac_test.rego
index ae6173a3..36873102 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_includes_rbac_test.rego
@@ -42,6 +42,28 @@ test_authorization_mode_includes_rbac {
 	count(r) == 0
 }
 
+test_authorization_mode_includes_rbac_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=Node,RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_default_value {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_test.rego
index 8f5249e3..6a8fc541 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/authorization_mode_test.rego
@@ -43,6 +43,28 @@ test_authorization_mode_is_set_rbac {
 	count(r) == 0
 }
 
+test_authorization_mode_is_set_rbac_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_authorization_mode_with_multiple_values {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file.rego b/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file.rego
index cb0b158a..91aa1411 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0028
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--client-ca-file")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--client-ca-file")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--client-ca-file")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --client-ca-file argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file_test.rego
index 1299f3d0..b753a79d 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/client_ca_file_test.rego
@@ -21,6 +21,28 @@ test_client_ca_file_is_set {
 	count(r) == 0
 }
 
+test_client_ca_file_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--client-ca-file=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_client_ca_file_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin.rego b/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin.rego
index acf7e8c4..0c3fda3d 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin.rego
@@ -19,15 +19,21 @@ package builtin.kubernetes.KCV0003
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
+check_flag(container) {
 	some i
 	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.command[i], -1)
 	regex.match("DenyServiceExternalIPs", output[0][1])
 }
 
+check_flag(container) {
+	some i
+	output := regex.find_all_string_submatch_n(`--enable-admission-plugins=([^\s]+)`, container.args[i], -1)
+	regex.match("DenyServiceExternalIPs", output[0][1])
+}
+
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	check_flag(container)
 	msg := "Ensure that the --DenyServiceExternalIPs is not set"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin_test.rego
index fffd2a40..57034549 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/deny_service_external_ips_plugin_test.rego
@@ -43,6 +43,28 @@ test_enable_admission_plugins_is_not_configured {
 	count(r) == 0
 }
 
+test_enable_admission_plugins_is_not_configured_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--authorization-mode=Node,RBAC", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_deny_service_external_ips_is_not_enabled {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
index d46136b6..ee4470c7 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0030
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
+check_flag(container) {
 	kubernetes.command_has_flag(container.command, "--encryption-provider-config")
 }
 
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--encryption-provider-config")
+}
+
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	check_flag(container)
 	msg := "Ensure that the --encryption-provider-config argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
index 8e1a742e..cf822939 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/encryption_provider_config_test.rego
@@ -42,3 +42,25 @@ test_encryption_provider_config_is_not_set {
 
 	count(r) == 0
 }
+
+test_encryption_provider_config_is_not_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--anonymous-auth=false"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile.rego b/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile.rego
index bea415f7..34374fb0 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile.rego
@@ -19,14 +19,18 @@ package builtin.kubernetes.KCV0029
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--etcd-cafile")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--etcd-cafile")
+}
+
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--etcd-cafile")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --etcd-cafile argument is set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile_test.rego
index 8e9df561..1dafca35 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/etcd_cafile_test.rego
@@ -21,6 +21,28 @@ test_etcd_cafile_is_set {
 	count(r) == 0
 }
 
+test_etcd_cafile_is_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--etcd-cafile=<filename>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}
+
 test_etcd_cafile_is_not_set {
 	r := deny with input as {
 		"apiVersion": "v1",
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile.rego b/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile.rego
index 5ab092fd..791da4e5 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile.rego
@@ -19,20 +19,20 @@ package builtin.kubernetes.KCV0026
 
 import data.lib.kubernetes
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--etcd-certfile")
+check_flag(container) {
+	kubernetes.command_has_flag(container.command, "--etcd-certfile")
+	kubernetes.command_has_flag(container.command, "--etcd-keyfile")
 }
 
-check_flag[container] {
-	container := kubernetes.containers[_]
-	kubernetes.is_apiserver(container)
-	not kubernetes.command_has_flag(container.command, "--etcd-keyfile")
+check_flag(container) {
+	kubernetes.command_has_flag(container.args, "--etcd-certfile")
+	kubernetes.command_has_flag(container.args, "--etcd-certfile")
 }
 
 deny[res] {
-	output := check_flag[_]
+	container := kubernetes.containers[_]
+	kubernetes.is_apiserver(container)
+	not check_flag(container)
 	msg := "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
-	res := result.new(msg, output)
+	res := result.new(msg, container)
 }
diff --git a/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego b/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego
index e4c25fea..1f7ff6bf 100644
--- a/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego
+++ b/checks/kubernetes/cisbenchmarks/apiserver/etcd_certfile_and_keyfile_test.rego
@@ -86,3 +86,25 @@ test_etcd_certfile_and_keyfile_are_not_set {
 	count(r) == 1
 	r[_].msg == "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate"
 }
+
+test_etcd_certfile_and_keyfile_are_set_args {
+	r := deny with input as {
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "apiserver",
+			"labels": {
+				"component": "kube-apiserver",
+				"tier": "control-plane",
+			},
+		},
+		"spec": {"containers": [{
+			"command": ["kube-apiserver"],
+			"args": ["--advertise-address=192.168.49.2", "--etcd-certfile=<file>", "--etcd-keyfile=<file>"],
+			"image": "busybox",
+			"name": "hello",
+		}]},
+	}
+
+	count(r) == 0
+}