Rule ID
SV-268321r1017019_rule
Version
V2R6
CCIs
Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.
Utilizing Hauler (https://hauler.dev), ensure all RKE2 Kubernetes Container images running in the RKE2 cluster have been obtained and their signatures have been validated and signed by Rancher Government Solutions Private Key. For reference, the public key is available at: https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub For more information about verifying the signatures of Carbide images, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images If any RKE2 images are identified as not being signed by the Rancher Government Solutions' private key, this is a finding.
Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images. Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository. For more information about pulling Carbide images and their signatures, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images