Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-254566	CNTR-R2-000580	SV-254566r942451_rule		Medium

Description
Ports, protocols, and services within the RKE2 runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy. RKE2 sets most ports and services configuration upon initiation; however, these ports can be changed after the fact to noncompliant configurations. It is important to verify core component configurations for compliance. API Server, Scheduler, Controller, ETCD, and User Pods should all be checked to ensure proper PPS configuration. Satisfies: SRG-APP-000142-CTR-000325, SRG-APP-000142-CTR-000330, SRG-APP-000383-CTR-000910

Description

Ports, protocols, and services within the RKE2 runtime must be controlled and conform to the PPSM CAL. Those ports, protocols, and services that fall outside the PPSM CAL must be blocked by the runtime. Instructions on the PPSM can be found in DOD Instruction 8551.01 Policy. RKE2 sets most ports and services configuration upon initiation; however, these ports can be changed after the fact to noncompliant configurations. It is important to verify core component configurations for compliance. API Server, Scheduler, Controller, ETCD, and User Pods should all be checked to ensure proper PPS configuration. Satisfies: SRG-APP-000142-CTR-000325, SRG-APP-000142-CTR-000330, SRG-APP-000383-CTR-000910

STIG	Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide	2023-11-30

Details

Check Text ( C-58050r942451_chk )
Check Ports, Protocols, and Services (PPS). Change to the /var/lib/rancher/rke2/agent/pod-manifests directory on the Kubernetes RKE2 Control Plane. Run the command: grep kube-apiserver.yaml -I -insecure-port grep kube-apiserver.yaml -I -secure-port grep kube-apiserver.yaml -I -etcd-servers * Review findings against the most recent PPSM CAL: https://cyber.mil/ppsm/cal/ Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL or otherwise approved by the information system security officer (ISSO) is a finding. If there are any ports, protocols, and services in the system documentation not in compliance with the CAL PPSM or otherwise been approved by the ISSO, this is a finding. Any PPS not set in the system documentation is a finding. Verify API Server network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements or otherwise approved by the ISSO is a finding. Review findings against the most recent PPSM CAL: https://cyber.mil/ppsm/cal/ Running these commands individually will show what ports are currently configured to be used by each of the core components. Inspect this output and ensure only proper ports are being utilized. If any ports not defined as the proper ports are being used, this is a finding. /var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-controller-manager -o=jsonpath="{.items[].spec.containers[].args}" /var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-scheduler -o=jsonpath="{.items[].spec.containers[].args}" /var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-apiserver -o=jsonpath="{.items[].spec.containers[].args}" \| grep tls-min-version Verify user pods: User pods will also need to be inspected to ensure compliance. This will need to be on a case-by-case basis. cat /var/lib/rancher/rke2/server/db/etcd/config If any ports not defined as the proper ports are being used or otherwise approved by the ISSO, this is a finding.

Check Text ( C-58050r942451_chk )

Check Ports, Protocols, and Services (PPS).
Change to the /var/lib/rancher/rke2/agent/pod-manifests directory on the Kubernetes RKE2 Control Plane.
Run the command:
grep kube-apiserver.yaml -I -insecure-port
grep kube-apiserver.yaml -I -secure-port
grep kube-apiserver.yaml -I -etcd-servers *

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Any manifest and namespace PPS or services configuration not in compliance with PPSM CAL or otherwise approved by the information system security officer (ISSO) is a finding.

If there are any ports, protocols, and services in the system documentation not in compliance with the CAL PPSM or otherwise been approved by the ISSO, this is a finding. Any PPS not set in the system documentation is a finding.

Verify API Server network boundary with the PPS associated with the CAL Assurance Categories. Any PPS not in compliance with the CAL Assurance Category requirements or otherwise approved by the ISSO is a finding.

Review findings against the most recent PPSM CAL:
https://cyber.mil/ppsm/cal/

Running these commands individually will show what ports are currently configured to be used by each of the core components. Inspect this output and ensure only proper ports are being utilized. If any ports not defined as the proper ports are being used, this is a finding.

/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-controller-manager -o=jsonpath="{.items[*].spec.containers[*].args}"

/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-scheduler -o=jsonpath="{.items[*].spec.containers[*].args}"

/var/lib/rancher/rke2/bin/kubectl get po -n kube-system -l component=kube-apiserver -o=jsonpath="{.items[*].spec.containers[*].args}" | grep tls-min-version

Verify user pods:
User pods will also need to be inspected to ensure compliance. This will need to be on a case-by-case basis.
cat /var/lib/rancher/rke2/server/db/etcd/config
If any ports not defined as the proper ports are being used or otherwise approved by the ISSO, this is a finding.

Fix Text (F-57999r940062_fix)
Review the documentation covering how to set these PPSs and update this configuration file: /etc/rancher/rke2/config.yaml Once configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server