Title

Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources. (Cat II impact)

Discussion

Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment. Satisfies: SRG-APP-000243-CTR-000600, SRG-APP-000431-CTR-001065, SRG-APP-000211-CTR-000530, SRG-APP-000243-CTR-000595

Check Content

Audit logging and policies: Edit the /etc/rancher/rke2/config.yaml file and enable the audit policy: audit-policy-file: /etc/rancher/rke2/audit-policy.yaml 1. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration. --audit-policy-file= Path to the file that defines the audit policy configuration. (Example: /etc/rancher/rke2/audit-policy.yaml) --audit-log-mode=blocking-strict If the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 2. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains required configuration. If using RKE2 v1.24 or older, set: profile: cis-1.6 If using RKE2 v1.25 or newer, set: profile: cis-1.23 If the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server 3. Edit the audit policy file, by default located at /etc/rancher/rke2/audit-policy.yaml to look like below: apiVersion: audit.k8s.io/v1 kind: Policy metadata: name: rke2-audit-policy rules: - level: Metadata resources: - group: "" resources: ["secrets"] - level: RequestResponse resources: - group: "" resources: ["*"] If configuration files are updated on a host, restart the RKE2 Service. Run the command "systemctl restart rke2-server" for server hosts and "systemctl restart rke2-agent" for agent hosts.

Fix Text

System namespaces are reserved and isolated. A resource cannot move to a new namespace; the resource must be deleted and recreated in the new namespace. kubectl delete <resource_type> <resource_name> kubectl create -f <resource.yaml> --namespace=<user_created_namespace>

Additional Identifiers

Rule ID: SV-254570r954946_rule

Vulnerability ID: V-254570

Group Title: SRG-APP-000243-CTR-000600

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.