STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Rancher Government Solutions RKE2 Security Technical Implementation Guide

V-254571

CAT II (Medium)

Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Rule ID

SV-254571r1156616_rule

STIG

Rancher Government Solutions RKE2 Security Technical Implementation Guide

Version

V2R6

CCIs

CCI-002233CCI-002235

Discussion

Admission controllers intercept requests to the Kubernetes API before an object is instantiated. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated or deleted. Admissions controllers can be used for: - Prevent pod’s ability to run privileged containers - Prevent pod’s ability to use privileged escalation - Controlling pod’s access to volume types - Controlling pod’s access to host file system - Controlling pod’s usage of host networking objects and configuration Satisfies: SRG-APP-000340-CTR-000770, SRG-APP-000342-CTR-000775

Check Content

On each controlplane node, retrieve the "pod-security-admission-config-file" value from the RKE2 config file (/etc/rancher/rke2/config.yaml). For example:

pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml

Validate that the file referenced by "pod-security-admission-config-file" exists and the default configuration settings match the following:

    defaults:
      audit: restricted
      audit-version: latest
      enforce: restricted
      enforce-version: latest
      warn: restricted
      warn-version: latest

If "pod-security-admission-config-file" is not set, the file does not exist, or the configuration file differs from the above, this is a finding.

Fix Text

On each Control Plane node, create the file "/etc/rancher/rke2/rke2-pss-custom.yaml" and add the following content:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system, tigera-operator]

Verify the namespace exemptions contain only namespaces requiring access to capabilities outside of the restricted settings above.

Once the file is created, add the following to the RKE2 config file (/etc/rancher/rke2/config.yaml):

pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml

Once the "pod-security-admission-config-file" has been added, restart the Control Plane nodes with:

systemctl restart rke2-server