Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-254570 | CNTR-R2-000970 | SV-254570r942452_rule | Medium |
Description |
---|
Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment. Satisfies: SRG-APP-000243-CTR-000600, SRG-APP-000431-CTR-001065, SRG-APP-000211-CTR-000530, SRG-APP-000243-CTR-000595 |
STIG | Date |
---|---|
Rancher Government Solutions RKE2 Security Technical Implementation Guide | 2023-11-30 |
Check Text ( C-58054r942452_chk ) |
---|
Audit logging and policies: Edit the /etc/rancher/rke2/config.yaml file and enable the audit policy: audit-policy-file: /etc/rancher/rke2/audit-policy.yaml 1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration. --audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml) --audit-log-mode=blocking-strict If the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration. If using RKE2 v1.24 or older, set: profile: cis-1.6 If using RKE2 v1.25 or newer, set: profile: cis-1.23 If the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 3. Edit the audit policy file, by default located at /etc/rancher/rke2/audit-policy.yaml to look like below: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: rke2-audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] - level: RequestResponse resources: - group: "" resources: ["*"] If configuration files are updated on a host, restart the RKE2 Service. Run the command "systemctl restart rke2-server" for server hosts and "systemctl restart rke2-agent" for agent hosts. |
Fix Text (F-58003r940065_fix) |
---|
System namespaces are reserved and isolated. A resource cannot move to a new namespace; the resource must be deleted and recreated in the new namespace. kubectl delete kubectl create -f |