Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252849	CNTR-RM-001730	SV-252849r819997_rule		High

Description
The container platform and its components will adhere to NIST 800-52R2. To ensure that traffic coming through the ingress controller is re-encrypted internally, switch off port 80 on the service object and direct ingress traffic to port 443 over HTTPS.

STIG	Date
Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide	2022-08-31

Details

Check Text ( C-56305r819995_chk )
Navigate to Triple Bar Symbol(Global) >> . From the kubectl shell (>_) execute: kubectl get ingress -n cattle-system rancher -o yaml verify: spec: rules: - host: rancher.example.com < Caution-http://rancher.example.com > http: paths: - backend: service: name: rancher port: number: 443 kubectl get svc rancher -n cattle-system -o yaml Verify: spec: clusterIP: 10.43.145.4 clusterIPs: - 10.43.145.4 ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: https-internal port: 443 protocol: TCP targetPort: 443 If the output does not match the above, this is a finding.

Check Text ( C-56305r819995_chk )

Navigate to Triple Bar Symbol(Global) >> .
From the kubectl shell (>_) execute:
kubectl get ingress -n cattle-system rancher -o yaml

verify:
spec:
rules:
- host: rancher.example.com < Caution-http://rancher.example.com >
http:
paths:
- backend:
service:
name: rancher
port:
number: 443

kubectl get svc rancher -n cattle-system -o yaml
Verify:
spec:
clusterIP: 10.43.145.4
clusterIPs:
- 10.43.145.4
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: https-internal
port: 443
protocol: TCP
targetPort: 443

If the output does not match the above, this is a finding.

Fix Text (F-56255r819996_fix)
From the dropdown select Global >> . From the kubectl shell (>_) execute the following: kubectl patch -n cattle-system service rancher -p '{"spec":{"ports":[{"port":443,"targetPort":443}]}}' export RANCHER_HOSTNAME=rancher.disa-eval-2-6.tomatodamato.com < Caution-http://rancher.disa-eval-2-6.tomatodamato.com > kubectl -n cattle-system patch ingress rancher -p "{\"metadata\":{\"annotations\":{\"nginx.ingress.Kubernetes.io/backend-protocol\ < Caution-http://nginx.ingress.Kubernetes.io/backend-protocol\ > ":\"HTTPS\"}},\"spec\":{\"rules\":[{\"host\":\"$RANCHER_HOSTNAME\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"rancher\",\"port\":{\"number\":443}}},\"pathType\":\"ImplementationSpecific\"}]}}]}}" kubectl patch -n cattle-system service rancher --type=json -p '[{"op":"remove","path":"/spec/ports/0"}]'

Fix Text (F-56255r819996_fix)

From the dropdown select Global >> .
From the kubectl shell (>_) execute the following:

kubectl patch -n cattle-system service rancher -p '{"spec":{"ports":[{"port":443,"targetPort":443}]}}'
export RANCHER_HOSTNAME=rancher.disa-eval-2-6.tomatodamato.com < Caution-http://rancher.disa-eval-2-6.tomatodamato.com >
kubectl -n cattle-system patch ingress rancher -p "{\"metadata\":{\"annotations\":{\"nginx.ingress.Kubernetes.io/backend-protocol\ < Caution-http://nginx.ingress.Kubernetes.io/backend-protocol\ > ":\"HTTPS\"}},\"spec\":{\"rules\":[{\"host\":\"$RANCHER_HOSTNAME\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"rancher\",\"port\":{\"number\":443}}},\"pathType\":\"ImplementationSpecific\"}]}}]}}"
kubectl patch -n cattle-system service rancher --type=json -p '[{"op":"remove","path":"/spec/ports/0"}]'