Title

Rancher RKE2 must be built from verified packages. (Cat II impact)

Discussion

Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.

Check Content

Utilizing Hauler (https://hauler.dev), ensure all RKE2 Kubernetes Container images running in the RKE2 cluster have been obtained and their signatures have been validated and signed by Rancher Government Solutions Private Key. For reference, the public key is available at: https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub For more information about verifying the signatures of Carbide images, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images If any RKE2 images are identified as not being signed by the Rancher Government Solutions' private key, this is a finding.

Fix Text

Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images. Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository. For more information about pulling Carbide images and their signatures, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images

Additional Identifiers

Rule ID: SV-268321r1017019_rule

Vulnerability ID: V-268321

Group Title: SRG-APP-000131-CTR-000285

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.