STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Rancher Government Solutions RKE2 Security Technical Implementation Guide

V-254570

CAT II (Medium)

Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.

Rule ID

SV-254570r1137645_rule

STIG

Rancher Government Solutions RKE2 Security Technical Implementation Guide

Version

V2R6

CCIs

CCI-001082CCI-001090CCI-002530

Discussion

Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment. Satisfies: SRG-APP-000243-CTR-000600, SRG-APP-000431-CTR-001065, SRG-APP-000211-CTR-000530, SRG-APP-000243-CTR-000595

Check Content

System namespaces are reserved and isolated.

To view the available namespaces, run the command:
kubectl get namespaces

The namespaces to be validated include:
default
kube-public
kube-system
kube-node-lease

For the default namespace, execute the commands:
kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:
kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:
kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only return values are the Kubernetes service objects (e.g., service/kubernetes).

For the kube-system namespace, execute the commands:
kubectl config set-context --current --namespace=kube-system
kubectl get all

The values returned include the following resources:
- ETCD
- Helm
- Kubernetes API Server
- Kubernetes Controller Manager
- Kubernetes Proxy
- Kubernetes Scheduler
- Kubernetes Networking Components
- Ingress Controller Components
- Metrics Server

If a return value from the "kubectl get all" command is not the Kubernetes service, one from the above lists, or a service otherwise approved by your Information Systems Security Officer (ISSO), this is a finding.

Fix Text

System namespaces are reserved and isolated.

A resource cannot move to a new namespace; the resource must be deleted and recreated in the new namespace.

kubectl delete <resource_type> <resource_name>
kubectl create -f <resource.yaml> --namespace=<user_created_namespace>