STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

Rancher Government Solutions RKE2 Security Technical Implementation Guide

Version

V2R6

Release Date

Feb 13, 2026

SCAP Benchmark ID

RGS_RKE2_STIG

Total Checks

21

Tags

other
CAT I: 4CAT II: 17CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (21)

V-254553HIGHRancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.V-254554MEDIUMRKE2 must use a centralized user management solution to support account management functions.V-254555MEDIUMRancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs.V-254556MEDIUMThe Kubernetes Controller Manager must have secure binding.V-254557MEDIUMThe Kubernetes Kubelet must have anonymous authentication disabled.V-254559HIGHThe Kubernetes Kubelet must have the read-only port flag disabled.V-254561HIGHThe Kubernetes kubelet must enable explicit authorization.V-254562HIGHThe Kubernetes API server must have anonymous authentication disabled.V-254563MEDIUMAll audit records must identify any containers associated with the event within Rancher RKE2.V-254564MEDIUMConfiguration and authentication files for Rancher RKE2 must be protected.V-254565MEDIUMRancher RKE2 must be configured with only essential configurations.V-254566MEDIUMRancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.V-254567MEDIUMRancher RKE2 must store only cryptographic representations of passwords.V-254568MEDIUMRancher RKE2 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after five minutes of inactivity.V-254569MEDIUMRancher RKE2 runtime must isolate security functions from nonsecurity functions.V-254570MEDIUMRancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.V-254571MEDIUMRancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-254572MEDIUMRancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status.V-254574MEDIUMRancher RKE2 must remove old components after updated versions have been installed.V-254575MEDIUMRancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs.V-268321MEDIUMRancher RKE2 must be built from verified packages.