Rancher RKE2 must be configured with only essential configurations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254565	CNTR-R2-000550	SV-254565r879587_rule		Medium

Description
It is important to disable any unnecessary components to reduce any potential attack surfaces. RKE2 allows disabling the following components: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the "disable" flag. If any of the components are not required, they can be disabled by using the "disable" flag. Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915

Description

It is important to disable any unnecessary components to reduce any potential attack surfaces. RKE2 allows disabling the following components: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the "disable" flag. If any of the components are not required, they can be disabled by using the "disable" flag. Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915

STIG	Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide	2023-02-27

Details

Check Text ( C-58049r859263_chk )
Ensure the RKE2 Server configuration file on all RKE2 Server hosts contain a "disable" flag for all unnecessary components. Run this command on the RKE2 Control Plane: cat /etc/rancher/rke2/config.yaml RKE2 allows disabling the following components. If any of the components are not required, they can be disabled: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If services not in use are enabled, this is a finding.

Check Text ( C-58049r859263_chk )

Ensure the RKE2 Server configuration file on all RKE2 Server hosts contain a "disable" flag for all unnecessary components.

Run this command on the RKE2 Control Plane:
cat /etc/rancher/rke2/config.yaml

RKE2 allows disabling the following components. If any of the components are not required, they can be disabled:
- rke2-canal
- rke2-coredns
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server

If services not in use are enabled, this is a finding.

Fix Text (F-57998r859264_fix)
Disable unnecessary RKE2 components. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag for all unnecessary components. Example: disable: rke2-canal disable: rke2-coredns disable: rke2-ingress-nginx disable: rke2-kube-proxy disable: rke2-metrics-server Once configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server

Fix Text (F-57998r859264_fix)

Disable unnecessary RKE2 components.
Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag for all unnecessary components.

Example:
disable: rke2-canal
disable: rke2-coredns
disable: rke2-ingress-nginx
disable: rke2-kube-proxy
disable: rke2-metrics-server

Once configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server