UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources.


Overview

Finding ID Version Rule ID IA Controls Severity
V-254570 CNTR-R2-000970 SV-254570r942452_rule Medium
Description
Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment. Satisfies: SRG-APP-000243-CTR-000600, SRG-APP-000431-CTR-001065, SRG-APP-000211-CTR-000530, SRG-APP-000243-CTR-000595
STIG Date
Rancher Government Solutions RKE2 Security Technical Implementation Guide 2023-11-30

Details

Check Text ( C-58054r942452_chk )
Audit logging and policies:

Edit the /etc/rancher/rke2/config.yaml file and enable the audit policy:
audit-policy-file: /etc/rancher/rke2/audit-policy.yaml

1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.

--audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml)
--audit-log-mode=blocking-strict

If the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration.

If using RKE2 v1.24 or older, set:

profile: cis-1.6

If using RKE2 v1.25 or newer, set:

profile: cis-1.23

If the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server

3. Edit the audit policy file, by default located at /etc/rancher/rke2/audit-policy.yaml to look like below:

apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: rke2-audit-policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["*"]

If configuration files are updated on a host, restart the RKE2 Service. Run the command "systemctl restart rke2-server" for server hosts and "systemctl restart rke2-agent" for agent hosts.
Fix Text (F-58003r940065_fix)
System namespaces are reserved and isolated.

A resource cannot move to a new namespace; the resource must be deleted and recreated in the new namespace.

kubectl delete
kubectl create -f --namespace=