{"stig":{"title":"Rancher Government Solutions RKE2 Security Technical Implementation Guide","version":"2","release":"6"},"checks":[{"vulnId":"V-254553","ruleId":"SV-254553r1188297_rule","severity":"high","ruleTitle":"Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.","description":"Use strong TLS settings.\n\nRKE2 uses FIPS validated BoringCrypto modules. RKE2 Server can prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. There is a lot of traffic between RKE2 nodes to deploy, update, and delete resources so it is important to set strong TLS settings on top of this default feature. It is also important to use approved cypher suites. This ensures the protection of the transmitted information, confidentiality, and integrity so that the attacker cannot read or alter this communication.\n\nThe use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle attacks, and impersonation of users or services from the container platform runtime, registry, and key store.\n\nTo enable the enforcement of minimum version of TLS and cipher suites to be used by the various components of RKE2, the settings \"tls-min-version\" and \"tls-cipher-suites\" must be set.\n\nFurther documentation of the FIPS modules can be found here: https://docs.rke2.io/security/fips_support.\n\nSatisfies: SRG-APP-000014-CTR-000035, SRG-APP-000014-CTR-000040, SRG-APP-000219-CTR-000550, SRG-APP-000441-CTR-001090, SRG-APP-000442-CTR-001095, SRG-APP-000514-CTR-001315, SRG-APP-000560-CTR-001340, SRG-APP-000605-CTR-001380, SRG-APP-000610-CTR-001385, SRG-APP-000635-CTR-001405, SRG-APP-000645-CTR-001410","checkContent":"Use strong TLS settings.\n\nOn the RKE2 server, run each command:\n\n/bin/ps -ef | grep kube-apiserver | grep -v grep\n\n/bin/ps -ef | grep kube-controller-manager | grep -v grep\n\n/bin/ps -ef | grep kube-scheduler | grep -v grep\n\nFor each, look for the existence of tls-min-version (use this command for an aid \"| grep tls-min-version\"). \n\nIf the setting \"tls-min-version\" is not configured or it is set to \"VersionTLS10\" or \"VersionTLS11\", this is a finding.\n\nFor each, look for the existence of the tls-cipher-suites. \n\nIf \"tls-cipher-suites\" is not set for all servers, or does not contain the following, this is a finding.\n\n--tls-cipher-suites=suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","fixText":"Configure the use of strong TLS settings.\n\nEdit the RKE2 server configuration file on all RKE2 server hosts, located at \"/etc/rancher/rke2/config.yaml\", to contain the following:\n\nkube-controller-manager-arg:\n\n\"tls-min-version=VersionTLS12\" [or higher]\n\"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\" kube-scheduler-arg:\n\"tls-min-version=VersionTLS12\"\n\"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\" kube-apiserver-arg:\n\"tls-min-version=VersionTLS12\"\n\"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"\n\nOnce the configuration file is updated, restart the RKE2 server using the command: \n\nsystemctl restart rke2-server","ccis":["CCI-000068","CCI-000185","CCI-000382","CCI-000803","CCI-001184","CCI-001453","CCI-002420","CCI-002422","CCI-002450"]},{"vulnId":"V-254554","ruleId":"SV-254554r1043176_rule","severity":"medium","ruleTitle":"RKE2 must use a centralized user management solution to support account management functions.","description":"The Kubernetes Controller Manager is a background process that embeds core control loops regulating cluster system state through the API Server. Every process executed in a pod has an associated service account. By default, service accounts use the same credentials for authentication. Implementing the default settings poses a high risk to the Kubernetes Controller Manager. Setting the use-service-account-credential value lowers the attack surface by generating unique service accounts settings for each controller instance.","checkContent":"Ensure use-service-account-credentials argument is set correctly.\n\nRun this command on the RKE2 Control Plane:\n/bin/ps -ef | grep kube-controller-manager | grep -v grep\n\nIf --use-service-account-credentials argument is not set to \"true\" or is not configured, this is a finding.","fixText":"Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following \"kube-controller-manager-arg\" argument:\n- use-service-account-credentials=true\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000015"]},{"vulnId":"V-254555","ruleId":"SV-254555r1188300_rule","severity":"medium","ruleTitle":"Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail documents the creation of application user accounts and, as required, notifies administrators and/or application when accounts are created. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nWithin Rancher RKE2, audit data can be generated from any of the deployed container platform components. This audit data is important when there are issues, such as security incidents, that must be investigated. To make the audit data worthwhile for the investigation of events, it is necessary to know where within the container platform the event occurred.\n\nTo address access requirements, many application developers choose to integrate their applications with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Such integration allows the application developer to offload those access control functions and focus on core application features and functionality.\n\nSatisfies: SRG-APP-000026-CTR-000070, SRG-APP-000027-CTR-000075, SRG-APP-000028-CTR-000080, SRG-APP-000092-CTR-000165, SRG-APP-000095-CTR-000170, SRG-APP-000096-CTR-000175, SRG-APP-000097-CTR-000180, SRG-APP-000098-CTR-000185, SRG-APP-000099-CTR-000190, SRG-APP-000100-CTR-000195, SRG-APP-000101-CTR-000205, SRG-APP-000319-CTR-000745, SRG-APP-000320-CTR-000750, SRG-APP-000343-CTR-000780, SRG-APP-000358-CTR-000805, SRG-APP-000374-CTR-000865, SRG-APP-000375-CTR-000870, SRG-APP-000381-CTR-000905, SRG-APP-000409-CTR-000990, SRG-APP-000492-CTR-001220, SRG-APP-000493-CTR-001225, SRG-APP-000494-CTR-001230, SRG-APP-000495-CTR-001235, SRG-APP-000496-CTR-001240, SRG-APP-000497-CTR-001245, SRG-APP-000498-CTR-001250, SRG-APP-000499-CTR-001255, SRG-APP-000500-CTR-001260, SRG-APP-000501-CTR-001265, SRG-APP-000502-CTR-001270, SRG-APP-000503-CTR-001275, SRG-APP-000504-CTR-001280, SRG-APP-000505-CTR-001285, SRG-APP-000506-CTR-001290, SRG-APP-000507-CTR-001295, SRG-APP-000508-CTR-001300, SRG-APP-000509-CTR-001305, SRG-APP-000510-CTR-001310, SRG-APP-000516-CTR-000790, SRG-APP-00516-CTR-001325","checkContent":"Audit logging and policies:\n\nOn all hosts running RKE2, run the command: \n\n/bin/ps -ef | grep kube-apiserver | grep -v grep\n\nIf --audit-policy-file is not set, this is a finding. If --audit-log-mode is not = \"blocking-strict\", this is a finding.\n\nEnsure the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, contains CIS profile setting. Run the following command: cat /etc/rancher/rke2/config.yaml\nRKE2 can be started with the profile flag set to cis, cis-1.23, or cis-1.6 depending on the RKE2 version. Available with October 2023 releases (v1.25.15+rke2r1, v1.26.10+rke2r1, v1.27.7+rke2r1, v1.28.3+rke2r1), use the generic profile: \"cis\".\n\nIf a value for profile is not found or is not set correctly, this is a finding. (Example: \"profile: cis\")\n\nCheck the contents of the audit-policy file. By default, RKE2 expects the audit-policy file to be located at /etc/rancher/rke2/audit-policy.yaml; however, this location can be overridden in the /etc/rancher/rke2/config.yaml file with argument 'kube-apiserver-arg: \"audit-policy-file=/etc/rancher/rke2/audit-policy.yaml\"'.\nIf the audit policy file does not exist or does not look like the following, this is a finding.\n\napiVersion: audit.k8s.io/v1 kind: Policy metadata: name: rke2-audit-policy rules:\n\nlevel: Metadata resources:\ngroup: \"\" resources: [\"secrets\"]\nlevel: RequestResponse resources:\ngroup: \"\" resources: [\"*\"]","fixText":"Edit the \"/etc/rancher/rke2/config.yaml\" file and enable the audit-policy-file: /etc/rancher/rke2/audit-policy.yaml\n\nEdit the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, so it contains the required configuration.\n\n--audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml) --audit-log-mode=blocking-strict\n\nIf configuration file is updated, restart the RKE2 using the command \"systemctl restart rke2-server\" for server hosts or \"systemctl restart rke2-agent\" for agent hosts.\n\nEdit the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.\n\nIf using RKE2 v1.24 or older, set: profile: cis-1.6\n\nIf using RKE2 v1.25 or newer, set: profile: cis-1.23\n\nFor October 2023 releases (v1.25.15+rke2r1, v1.26.10+rke2r1, v1.27.7+rke2r1, v1.28.3+rke2r1), use the generic profile \"cis\".\n\nIf configuration file is updated, restart RKE2 using the command \"systemctl restart rke2-server\" for server hosts or \"systemctl restart rke2-agent\" for agent hosts.\n\nEdit the audit policy file, by default, located at /etc/rancher/rke2/audit-policy.yaml to look like the following:\n\napiVersion: audit.k8s.io/v1 kind: Policy metadata: name: rke2-audit-policy rules:\n\nlevel: Metadata resources:\ngroup: \"\" resources: [\"secrets\"]\nlevel: RequestResponse resources:\ngroup: \"\" resources: [\"*\"]\n\nIf configuration files are updated on a host, restart the RKE2 service using the command \"systemctl restart rke2-server\" for server hosts and \"systemctl restart rke2-agent\" for agent hosts.","ccis":["CCI-000018","CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000172","CCI-000366","CCI-001403","CCI-001404","CCI-001464","CCI-001487","CCI-003938","CCI-001851","CCI-001889","CCI-001890","CCI-002130","CCI-002234","CCI-002884"]},{"vulnId":"V-254556","ruleId":"SV-254556r1137638_rule","severity":"medium","ruleTitle":"The Kubernetes Controller Manager must have secure binding.","description":"Limiting the number of attack vectors and implementing authentication and encryption on the endpoints available to external sources is paramount when securing the overall Kubernetes cluster. The Controller Manager API service exposes port 10252/TCP by default for health and metrics information use. This port does not encrypt or authenticate connections. If this port is exposed externally, an attacker can use this port to attack the entire Kubernetes cluster. By setting the bind address to only localhost (i.e., 127.0.0.1), only those internal services that require health and metrics information can access the Control Manager API.","checkContent":"Ensure bind-address is set correctly. \n\nRun this command on the RKE2 Control Plane:\n/bin/ps -ef | grep kube-controller-manager | grep -v grep\n\nIf --bind-address is not set to \"127.0.0.1\" or is not configured, this is a finding.","fixText":"Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following \"kube-controller-manager-arg\" argument:\n- bind-address=127.0.0.1\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000213"]},{"vulnId":"V-254557","ruleId":"SV-254557r1137638_rule","severity":"medium","ruleTitle":"The Kubernetes Kubelet must have anonymous authentication disabled.","description":"RKE2 registry is used to store images and is the keeper of truth for trusted images within the platform. To guarantee the images' integrity, access to the registry must be limited to those individuals who need to perform tasks to the images such as the update, creation, or deletion. Without this control access, images can be deleted that are in use by RKE2 causing a denial of service (DoS), and images can be modified or introduced without going through the testing and validation process allowing for the intentional or unintentional introduction of containers with flaws and vulnerabilities.\n\nBy allowing anonymous connections, the controls put in place to secure the Kubelet can be bypassed. Setting anonymous authentication to \"false\" also disables unauthenticated requests from kubelets.\n\nWhile there are instances where anonymous connections may be needed (e.g., health checks) and Role-Based Access Controls (RBAC) are in place to limit the anonymous access, this access must be disabled and only enabled when necessary.","checkContent":"Ensure anonymous-auth is set correctly so anonymous requests will be rejected.\n\nRun this command on each node:\n/bin/ps -ef | grep kubelet | grep -v grep\n\nIf --anonymous-auth is set to \"true\" or is not configured, this is a finding.","fixText":"Edit the Kubernetes Kubelet file etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following:\n--anonymous-auth=false\n\nOnce configuration file is updated, restart the RKE2 Agent. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000213"]},{"vulnId":"V-254559","ruleId":"SV-254559r1188303_rule","severity":"high","ruleTitle":"The Kubernetes Kubelet must have the read-only port flag disabled.","description":"Kubelet serves a small REST API with read access to port 10255. The read-only port for Kubernetes provides no authentication or authorization security control. Providing unrestricted access on port 10255 exposes Kubernetes pods and containers to malicious attacks or compromise. Port 10255 is deprecated and should be disabled. \n\nClose the read-only-port by setting the API server's read-only port flag to \"0\".","checkContent":"Ensure read-only-port is set so anonymous requests will be rejected.\n\nRun the following command on each node:\n\n/bin/ps -ef | grep kubelet | grep -v grep\n\nIf --read-only-port is not set to \"0\" or is not configured, this is a finding.","fixText":"Edit the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, to contain the following: kubelet-arg: --read-only-port=0\n\nIf configuration files are updated on a host, restart the RKE2 service using the command \"systemctl restart rke2-server\" for server hosts and \"systemctl restart rke2-agent\" for agent hosts.","ccis":["CCI-000213"]},{"vulnId":"V-254561","ruleId":"SV-254561r1137639_rule","severity":"high","ruleTitle":"The Kubernetes kubelet must enable explicit authorization.","description":"Kubelet is the primary agent on each node. The API server communicates with each kubelet to perform tasks such as starting/stopping pods. By default, kubelets allow all authenticated requests, even anonymous ones, without requiring any authorization checks from the API server. This default behavior bypasses any authorization controls put in place to limit what users may perform within the Kubernetes cluster. To change this behavior, the default setting of AlwaysAllow for the authorization mode must be set to \"Webhook\".","checkContent":"Ensure authorization-mode is set correctly in the kubelet on each rke2 node.\n\nRun this command on each node:\n/bin/ps -ef | grep kubelet | grep -v grep\n\nIf --authorization-mode is not set to \"Webhook\" or is not configured, this is a finding.","fixText":"Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on every RKE2 node and set the following \"kubelet-arg\" argument:\n\n- authorization-mode=Webhook\n\nOnce the configuration file is updated, restart the RKE2 Server or Agent. Run the command:\nsystemctl restart rke2-server or systemctl restart rke2-agent","ccis":["CCI-000213"]},{"vulnId":"V-254562","ruleId":"SV-254562r1137640_rule","severity":"high","ruleTitle":"The Kubernetes API server must have anonymous authentication disabled.","description":"The Kubernetes API Server controls Kubernetes via an API interface. A user who has access to the API essentially has root access to the entire Kubernetes cluster. To control access, users must be authenticated and authorized. By allowing anonymous connections, the controls put in place to secure the API can be bypassed.\n\nSetting anonymous authentication to \"false\" also disables unauthenticated requests from kubelets.\n\nWhile there are instances where anonymous connections may be needed (e.g., health checks) and Role-Based Access Controls (RBAC) are in place to limit the anonymous access, this access should be disabled, and only enabled when necessary.","checkContent":"Ensure anonymous-auth argument is set correctly.\n\nRun this command on the RKE2 Control Plane:\n/bin/ps -ef | grep kube-apiserver | grep -v grep\n\nIf --anonymous-auth is set to \"true\" or is not configured, this is a finding.","fixText":"Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following \"kube-apiserver-arg\" argument:\n\n- anonymous-auth=false\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000213"]},{"vulnId":"V-254563","ruleId":"SV-254563r960906_rule","severity":"medium","ruleTitle":"All audit records must identify any containers associated with the event within Rancher RKE2.","description":"Ensure that the --audit-log-maxage argument is set to 30 or as appropriate.\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\nResult: Pass","checkContent":"Ensure audit-log-maxage is set correctly.\n\nRun the below command on the RKE2 Control Plane:\n/bin/ps -ef | grep kube-apiserver | grep -v grep\n\nIf --audit-log-maxage argument is not set to at least 30 or is not configured, this is a finding. \n(By default, RKE2 sets the --audit-log-maxage argument parameter to 30.)","fixText":"Edit the RKE2 Configuration File /etc/rancher/rke2/config.yaml on the RKE2 Control Plane and set the following \"kube-apiserver-arg\" argument:\n\n- audit-log-maxage=30\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-001487"]},{"vulnId":"V-254564","ruleId":"SV-254564r1156618_rule","severity":"medium","ruleTitle":"Configuration and authentication files for Rancher RKE2 must be protected.","description":"There are various configuration files, logs, access credentials, and other files stored on the host filesystem that contain sensitive information. \n\nThese files could potentially be put at risk, along with other specific workloads and components:\n- API server.\n- proxy.\n- scheduler.\n- controller.\n- etcd.\n- Kubernetes administrator account information.\n- audit log access, modification, and deletion.\n- application access, modification, and deletion.\n- container runtime files.\n\nIf an attacker can gain access to these files, changes can be made to open vulnerabilities and bypass user authorizations inherent within Kubernetes with RBAC implemented. It is crucial to ensure user permissions are enforced down through to the operating system. Protecting file permissions will ensure that if a nonprivileged user gains access to the system they will still not be able to access protected information from the cluster API, cluster configuration, and sensitive cluster information. This control relies on the underlying operating system also having been properly configured to allow only least privileged access to perform required operations.\n\nSatisfies: SRG-APP-000133-CTR-000300, SRG-APP-000133-CTR-000295, SRG-APP-000133-CTR-000305, SRG-APP-000133-CTR-000310","checkContent":"File system permissions:\n1. Verify correct permissions of the files in /etc/rancher/rke2.\ncd /etc/rancher/rke2\nls -l\n\nall owners are root:root\nall permissions are 0600\n\n2. Verify correct permissions of the files in /var/lib/rancher/rke2.\ncd /var/lib/rancher/rke2\nls -l \n\nall owners are root:root\n\n3. Verify correct permissions of the files and directories in /var/lib/rancher/rke2/agent.\ncd /var/lib/rancher/rke2/agent\nls -l\n\nowners and group are root:root\n\nFile permissions set to at least 0640 for the following:\nrke2controller.kubeconfig\nkubelet.kubeconfig\nkubeproxy.kubeconfig\n\nCertificate file permissions set to 0600:\nclient-ca.crt\nclient-kubelet.crt\nclient-kube-proxy.crt\nclient-rke2-controller.crt\nserver-ca.crt\nserving-kubelet.crt\n\nKey file permissions set to 0600:\nclient-kubelet.key\nserving-kubelet.key\nclient-rke2-controller.key\nclient-kube-proxy.key\n\nThe directory permissions to 0700:\npod-manifests\netc \n\n4. Verify correct permissions of the files in /var/lib/rancher/rke2/bin.\ncd /var/lib/rancher/rke2/bin\nls -l\n\nall owners are root:root\nall files are 0750\n\n5. Verify correct permissions of the directory /var/lib/rancher/rke2/data.\ncd /var/lib/rancher/rke2\nls -l\n\nowners are root:root\npermissions are 0750\n\n6. Verify correct permissions of each file in /var/lib/rancher/rke2/data.\ncd /var/lib/rancher/rke2/data\nls -l\n\nall owners are root:root\nall files are 0750\n\n7. Verify correct permissions of /var/lib/rancher/rke2/server.\ncd /var/lib/rancher/rke2/server\nls -l \n\nall owners are root:root\n\nThe following directories are set to 0700:\ncred\ndb\ntls \n\nThe following directories are set to 0750:\nmanifests \nlogs \n\nThe following file is set to 0600:\ntoken \n\n8. Verify the RKE2 Server configuration file on all RKE2 Server hosts contain the following:\n(cat /etc/rancher/rke2/config.yaml)\nwrite-kubeconfig-mode: \"0600\"\n\nIf any of the permissions specified above do not match the required level, this is a finding.","fixText":"File system permissions:\n1. Fix permissions of the files in /etc/rancher/rke2:\ncd /etc/rancher/rke2\nchmod 0600 ./*\nchown root:root ./*\nls -l\n\n2. Fix permissions of the files in /var/lib/rancher/rke2:\ncd /var/lib/rancher/rke2\nchown root:root ./*\nls -l\n\n3. Fix permissions of the files and directories in /var/lib/rancher/rke2/agent:\ncd /var/lib/rancher/rke2/agent\nchown root:root ./*\nchmod 0700 pod-manifests\nchmod 0700 etc\nfind . -maxdepth 1 -type f -name \"*.kubeconfig\" -exec chmod 0640 {} \\;\nfind . -maxdepth 1 -type f -name \"*.crt\" -exec chmod 0600 {} \\;\nfind . -maxdepth 1 -type f -name \"*.key\" -exec chmod 0600 {} \\;\nls -l\n\n4. Fix permissions of the files in /var/lib/rancher/rke2/bin:\ncd /var/lib/rancher/rke2/bin\nchown root:root ./*\nchmod 0750 ./*\nls -l\n\n5. Fix permissions directory of /var/lib/rancher/rke2/data:\ncd /var/lib/rancher/rke2\nchown root:root data\nchmod 0750 data\nls -l\n\n6. Fix permissions of files in /var/lib/rancher/rke2/data:\ncd /var/lib/rancher/rke2/data\nchown root:root ./*\nchmod 0750 ./*\nls -l\n\n7. Fix permissions in /var/lib/rancher/rke2/server:\ncd /var/lib/rancher/rke2/server\nchown root:root ./*\nchmod 0700 cred\nchmod 0700 db\nchmod 0700 tls\nchmod 0750 manifests\nchmod 0750 logs\nchmod 0600 token\nls -l\n\nEdit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, to contain the following:\n\nwrite-kubeconfig-mode: \"0600\"\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-001499"]},{"vulnId":"V-254565","ruleId":"SV-254565r960963_rule","severity":"medium","ruleTitle":"Rancher RKE2 must be configured with only essential configurations.","description":"It is important to disable any unnecessary components to reduce any potential attack surfaces. \n\nRKE2 allows disabling the following components:\n- rke2-canal\n- rke2-coredns\n- rke2-ingress-nginx\n- rke2-kube-proxy\n- rke2-metrics-server\n\nIf utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the \"disable\" flag.\n\nIf any of the components are not required, they can be disabled by using the \"disable\" flag.\n\nSatisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915","checkContent":"Ensure the RKE2 Server configuration file on all RKE2 Server hosts contains a \"disable\" flag only if there are default RKE2 components that need to be disabled. \n\nIf there are no default components that need to be disabled, this is not a finding.\n\nRun this command on the RKE2 Control Plane:\ncat /etc/rancher/rke2/config.yaml\n\nRKE2 allows disabling the following components. If any of the components are not required, they can be disabled:\n- rke2-canal\n- rke2-coredns\n- rke2-ingress-nginx\n- rke2-kube-proxy\n- rke2-metrics-server\n\nIf services not in use are enabled, this is a finding.","fixText":"Disable unnecessary RKE2 components.\n\nEdit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a \"disable\" flag if any default RKE2 components are unnecessary. \n\nExample:\ndisable: rke2-canal\ndisable: rke2-coredns\ndisable: rke2-ingress-nginx\ndisable: rke2-kube-proxy\ndisable: rke2-metrics-server\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000381","CCI-001764"]},{"vulnId":"V-254566","ruleId":"SV-254566r1173952_rule","severity":"medium","ruleTitle":"Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.","description":"Ports, protocols, and services within the RKE2 runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy.\n\nRKE2 sets most ports and services configuration upon initiation; however, these ports can be changed after the fact to noncompliant configurations. It is important to verify core component configurations for compliance.\n\nAPI Server, Scheduler, Controller, ETCD, and User Pods should all be checked to verify proper PPS configuration.\n\nSatisfies: SRG-APP-000142-CTR-000325, SRG-APP-000142-CTR-000330, SRG-APP-000383-CTR-000910","checkContent":"Check Ports, Protocols, and Services (PPS).\nChange to the /var/lib/rancher/rke2/agent/pod-manifests directory on the Kubernetes RKE2 Control Plane. \nRun the command:\ngrep kube-apiserver.yaml -I -insecure-port\ngrep kube-apiserver.yaml -I -secure-port\ngrep kube-apiserver.yaml -I -etcd-servers *\n\nReview findings against the most recent PPSM CAL:\nhttps://cyber.mil/ppsm/cal/\n\nAny manifest and namespace PPS or services configuration not in compliance with PPSM CAL or otherwise approved by the information system security officer (ISSO) is a finding.\n\nIf there are any ports, protocols, and services in the system documentation not in compliance with the CAL PPSM or otherwise been approved by the ISSO, this is a finding. \n\nAny PPS not set in the system documentation or the RKE2 documentation (https://docs.rke2.io/install/requirements?_highlight=ports#networking) is a finding.\n\nVerify API Server network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements or otherwise approved by the ISSO is a finding.\n\nReview findings against the most recent PPSM CAL:\nhttps://cyber.mil/ppsm/cal/\n\nRunning these commands individually will show what ports are currently configured to be used by each of the core components. Inspect this output and verify only proper ports are being utilized. If any ports not defined as the proper ports are being used, this is a finding.\n\n/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-controller-manager -o=jsonpath=\"{.items[*].spec.containers[*].args}\"\n\n/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-scheduler -o=jsonpath=\"{.items[*].spec.containers[*].args}\"\n\n/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-apiserver -o=jsonpath=\"{.items[*].spec.containers[*].args}\" | grep tls-min-version\n\nVerify user pods:\nUser pods must be inspected to verify compliance on a case-by-case basis.\ncat /var/lib/rancher/rke2/server/db/etcd/config\n\nIf any ports not defined as the proper ports are being used or otherwise approved by the ISSO, this is a finding.","fixText":"Review the documentation covering how to set these PPSs and update this configuration file:\n\n/etc/rancher/rke2/config.yaml\n\nOnce the configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-000382","CCI-001762"]},{"vulnId":"V-254567","ruleId":"SV-254567r1016559_rule","severity":"medium","ruleTitle":"Rancher RKE2 must store only cryptographic representations of passwords.","description":"Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside RKE2 by the \"Get Pod\" API call, and by any system, such as CI/CD pipeline, which has access to the definition file of the container. Secrets must be mounted from files or stored within password vaults.","checkContent":"On the RKE2 Control Plane, run the following commands:\n\nkubectl get pods -A\nkubectl get jobs -A\nkubectl get cronjobs -A\n\nThis will output all running pods, jobs, and cronjobs. \n\nEvaluate each of the above commands using the respective commands below:\n\nkubectl get pod -n <namespace> <pod> -o yaml\nkubectl get job -n <namespace> <job> -o yaml\nkubectl get cronjob -n <namespace> <cronjob> -o yaml\n\nIf any contain sensitive values as environment variables, this is a finding.","fixText":"Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.","ccis":["CCI-004062","CCI-000196"]},{"vulnId":"V-254568","ruleId":"SV-254568r1188305_rule","severity":"medium","ruleTitle":"Rancher RKE2 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after five minutes of inactivity.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating-system-level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"Ensure streaming-connection-idle-timeout argument is set correctly.\n\nRun this command on each node:\n/bin/ps -ef | grep kubelet | grep -v grep\n\nIf --streaming-connection-idle-timeout is set to < \"5m\", missing or the parameter is not configured, this is a finding.","fixText":"Edit the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, to contain the following:\n\nkubelet-arg: --streaming-connection-idle-timeout=5m\n\nIf configuration files are updated on a host, restart the RKE2 service using the command \"systemctl restart rke2-server\" for server hosts and \"systemctl restart rke2-agent\" for agent hosts.","ccis":["CCI-001133"]},{"vulnId":"V-254569","ruleId":"SV-254569r1188307_rule","severity":"medium","ruleTitle":"Rancher RKE2 runtime must isolate security functions from nonsecurity functions.","description":"RKE2 runs as isolated as possible.\n\nRKE2 is a container-based Kubernetes distribution. A container image is essentially a complete and executable version of an application, which relies only on the host's OS kernel. Running containers use resource isolation features in the OS kernel, such as cgroups in Linux, to run multiple independent containers on the same OS. Unless part of the core RKE2 system or configured explicitly, containers managed by RKE2 should not have access to host resources.\n\nProper hardening of the surrounding environment is independent of RKE2 but ensures overall security stature.\n\nWhen Kubernetes launches a container, there are several mechanisms available to ensure complete deployments:\n- When a primary container process fails it is destroyed rebooted.\n- When Liveness checks fail for the container deployment it is destroyed rebooted.\n- If a readiness check fails at any point after the deployment the container is destroyed rebooted.\n- Kubernetes has the ability to rollback a deployment configuration to a previous state if a deployment fails.\n- Failover traffic to a working replica if any of the previous problems are encountered.\n\nSystem kernel is responsible for memory, disk, and task management. The kernel provides a gateway between the system hardware and software. Kubernetes requires kernel access to allocate resources to the Control Plane. Threat actors that penetrate the system kernel can inject malicious code or hijack the Kubernetes architecture. It is vital to implement protections through Kubernetes components to reduce the attack surface.","checkContent":"Ensure protect-kernel-defaults argument is set correctly.\n\nRun this command on each node:\n/bin/ps -ef | grep kubelet | grep -v grep\n\nIf --protect-kernel-defaults is not set to \"true\", missing or is not configured, this is a finding.","fixText":"Edit the RKE2 configuration file on all RKE2 hosts, located at /etc/rancher/rke2/config.yaml, to contain the following:\n\nkubelet-arg: --protect-kernel-defaults=true\n\nIf configuration files are updated on a host, restart the RKE2 service using the command \"systemctl restart rke2-server\" for server hosts and \"systemctl restart rke2-agent\" for agent hosts.","ccis":["CCI-001084"]},{"vulnId":"V-254570","ruleId":"SV-254570r1137645_rule","severity":"medium","ruleTitle":"Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.","description":"Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment.\n\nSatisfies: SRG-APP-000243-CTR-000600, SRG-APP-000431-CTR-001065, SRG-APP-000211-CTR-000530, SRG-APP-000243-CTR-000595","checkContent":"System namespaces are reserved and isolated.\n\nTo view the available namespaces, run the command:\nkubectl get namespaces\n\nThe namespaces to be validated include:\ndefault\nkube-public\nkube-system\nkube-node-lease\n\nFor the default namespace, execute the commands:\nkubectl config set-context --current --namespace=default\nkubectl get all\n\nFor the kube-public namespace, execute the commands:\nkubectl config set-context --current --namespace=kube-public\nkubectl get all\n\nFor the kube-node-lease namespace, execute the commands:\nkubectl config set-context --current --namespace=kube-node-lease\nkubectl get all\n\nThe only return values are the Kubernetes service objects (e.g., service/kubernetes).\n\nFor the kube-system namespace, execute the commands:\nkubectl config set-context --current --namespace=kube-system\nkubectl get all\n\nThe values returned include the following resources:\n- ETCD\n- Helm\n- Kubernetes API Server\n- Kubernetes Controller Manager\n- Kubernetes Proxy\n- Kubernetes Scheduler\n- Kubernetes Networking Components\n- Ingress Controller Components\n- Metrics Server\n\nIf a return value from the \"kubectl get all\" command is not the Kubernetes service, one from the above lists, or a service otherwise approved by your Information Systems Security Officer (ISSO), this is a finding.","fixText":"System namespaces are reserved and isolated.\n\nA resource cannot move to a new namespace; the resource must be deleted and recreated in the new namespace.\n\nkubectl delete <resource_type> <resource_name>\nkubectl create -f <resource.yaml> --namespace=<user_created_namespace>","ccis":["CCI-001082","CCI-001090","CCI-002530"]},{"vulnId":"V-254571","ruleId":"SV-254571r1156616_rule","severity":"medium","ruleTitle":"Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Admission controllers intercept requests to the Kubernetes API before an object is instantiated. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated or deleted.\n\nAdmissions controllers can be used for:\n- Prevent pod’s ability to run privileged containers\n- Prevent pod’s ability to use privileged escalation\n- Controlling pod’s access to volume types\n- Controlling pod’s access to host file system\n- Controlling pod’s usage of host networking objects and configuration\n\nSatisfies: SRG-APP-000340-CTR-000770, SRG-APP-000342-CTR-000775","checkContent":"On each controlplane node, retrieve the \"pod-security-admission-config-file\" value from the RKE2 config file (/etc/rancher/rke2/config.yaml). For example:\n\npod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml\n\nValidate that the file referenced by \"pod-security-admission-config-file\" exists and the default configuration settings match the following:\n\n    defaults:\n      audit: restricted\n      audit-version: latest\n      enforce: restricted\n      enforce-version: latest\n      warn: restricted\n      warn-version: latest\n\nIf \"pod-security-admission-config-file\" is not set, the file does not exist, or the configuration file differs from the above, this is a finding.","fixText":"On each Control Plane node, create the file \"/etc/rancher/rke2/rke2-pss-custom.yaml\" and add the following content:\n\napiVersion: apiserver.config.k8s.io/v1\nkind: AdmissionConfiguration\nplugins:\n- name: PodSecurity\n  configuration:\n    apiVersion: pod-security.admission.config.k8s.io/v1beta1\n    kind: PodSecurityConfiguration\n    defaults:\n      enforce: \"restricted\"\n      enforce-version: \"latest\"\n      audit: \"restricted\"\n      audit-version: \"latest\"\n      warn: \"restricted\"\n      warn-version: \"latest\"\n    exemptions:\n      usernames: []\n      runtimeClasses: []\n      namespaces: [kube-system, cis-operator-system, tigera-operator]\n\nVerify the namespace exemptions contain only namespaces requiring access to capabilities outside of the restricted settings above.\n\nOnce the file is created, add the following to the RKE2 config file (/etc/rancher/rke2/config.yaml):\n\npod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml\n\nOnce the \"pod-security-admission-config-file\" has been added, restart the Control Plane nodes with:\n\nsystemctl restart rke2-server","ccis":["CCI-002233","CCI-002235"]},{"vulnId":"V-254572","ruleId":"SV-254572r1016560_rule","severity":"medium","ruleTitle":"Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.","description":"Controlling access to those users and roles responsible for patching and updating RKE2 reduces the risk of untested or potentially malicious software from being installed within the platform. This access may be separate from the access required to install container images into the registry and those access requirements required to instantiate an image into a service. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n\nKubernetes uses the API Server to control communication to the other services that makeup Kubernetes. The use of authorizations and not the default of \"AlwaysAllow\" enables the Kubernetes functions control to only the groups that need them.\n\nTo control access, the API server must have one of the following options set for the authorization mode:\n    --authorization-mode=ABAC Attribute-Based Access Control (ABAC) mode allows a user to configure policies using local files.\n    --authorization-mode=RBAC Role-based access control (RBAC) mode allows a user to create and store policies using the Kubernetes API.\n    --authorization-mode=Webhook\nWebHook is an HTTP callback mode that allows a user to manage authorization using a remote REST endpoint.\n    --authorization-mode=Node \nNode authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.\n    --authorization-mode=AlwaysDeny \nThis flag blocks all requests. Use this flag only for testing.\n\nSatisfies: SRG-APP-000378-CTR-000880, SRG-APP-000378-CTR-000885","checkContent":"Ensure authorization-mode is set correctly in the apiserver.\n\nRun this command on all RKE2 Control Plane hosts:\n/bin/ps -ef | grep kube-apiserver | grep -v grep\n\nIf  --authorization-mode is not set to \"RBAC,Node\" or is not configured, this is a finding.\n(By default, RKE2 sets Node,RBAC as the parameter to the --authorization-mode argument.)","fixText":"Edit the RKE2 Server configuration file on all RKE2 Control Plane hosts, located at /etc/rancher/rke2/config.yaml, to contain the following:\n\n kube-apiserver-arg:\n--authorization-mode=RBAC,Node\n\nOnce configuration file is updated, restart the RKE2 Server. Run the command:\nsystemctl restart rke2-server","ccis":["CCI-003980","CCI-001812"]},{"vulnId":"V-254574","ruleId":"SV-254574r961677_rule","severity":"medium","ruleTitle":"Rancher RKE2 must remove old components after updated versions have been installed.","description":"Previous versions of Rancher RKE2 components that are not removed after updates have been installed may be exploited by adversaries by causing older components to execute which contain vulnerabilities. When these components are deleted, the likelihood of this happening is removed.","checkContent":"To view all pods and the images used to create the pods, from the RKE2 Control Plane, run the following command:\n\nkubectl get pods --all-namespaces -o jsonpath=\"{..image}\" | \\\ntr -s '[[:space:]]' '\\n' | \\\nsort | \\\nuniq -c\n\nReview the images used for pods running within Kubernetes.\nIf there are multiple versions of the same image, this is a finding.","fixText":"Remove any old pods that are using older images. On the RKE2 Control Plane, run the command:\n\nkubectl delete pod podname\n(Note: \"podname\" is the name of the pod to delete.)\n\nRun the command:\nsystemctl restart rke2-server","ccis":["CCI-002617"]},{"vulnId":"V-254575","ruleId":"SV-254575r1137649_rule","severity":"medium","ruleTitle":"Rancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs.","description":"Software supporting RKE2, images in the registry must stay up to date with the latest patches, service packs, and hot fixes. Not updating RKE2 and container images will expose the organization to vulnerabilities.\n\nFlaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant container platform components may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions used to install patches across the enclave and to applications themselves that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the time period utilized must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nRKE2 components will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. RKE2 registry will ensure the images are current. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Authenticate on the RKE2 Control Plane.\n\nVerify all nodes in the cluster are running a supported version of RKE2 Kubernetes. \nRun command:\n\nkubectl get nodes\n\nIf any nodes are running an unsupported version of RKE2 Kubernetes, this is a finding.\n\nVerify all images running in the cluster are patched to the latest version.\nRun command:\n\nkubectl get pods --all-namespaces -o jsonpath=\"{.items[*].spec.containers[*].image}\" | tr -s '[[:space:]]' '\\n' | sort | uniq -c\n\nIf any images running in the cluster are not the latest version, this is a finding.\n\nNote: Kubernetes release support levels can be found at: https://kubernetes.io/releases/","fixText":"Upgrade RKE2 to the supported version. Institute and adhere to the policies and procedures to ensure that patches are consistently applied within the time allowed.","ccis":["CCI-002605"]},{"vulnId":"V-268321","ruleId":"SV-268321r1017019_rule","severity":"medium","ruleTitle":"Rancher RKE2 must be built from verified packages.","description":"Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.","checkContent":"Utilizing Hauler (https://hauler.dev), ensure all RKE2 Kubernetes Container images running in the RKE2 cluster have been obtained and their signatures have been validated and signed by Rancher Government Solutions Private Key. \nFor reference, the public key is available at: \nhttps://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub\n\nFor more information about verifying the signatures of Carbide images, including RKE2, see: \nhttps://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images\n\nIf any RKE2 images are identified as not being signed by the Rancher Government Solutions' private key, this is a finding.","fixText":"Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images. \n\nUtilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository.\n\nFor more information about pulling Carbide images and their signatures, including RKE2, see: \nhttps://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images","ccis":["CCI-001749"]}]}