Check: CNTR-R2-000550
Rancher Government Solutions RKE2 STIG:
CNTR-R2-000550
(in versions v2 r2 through v1 r3)
Title
Rancher RKE2 must be configured with only essential configurations. (Cat II impact)
Discussion
It is important to disable any unnecessary components to reduce any potential attack surfaces. RKE2 allows disabling the following components: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the "disable" flag. If any of the components are not required, they can be disabled by using the "disable" flag. Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915
Check Content
Ensure the RKE2 Server configuration file on all RKE2 Server hosts contains a "disable" flag only if there are default RKE2 components that need to be disabled. If there are no default components that need to be disabled, this is not a finding. Run this command on the RKE2 Control Plane: cat /etc/rancher/rke2/config.yaml RKE2 allows disabling the following components. If any of the components are not required, they can be disabled: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If services not in use are enabled, this is a finding.
Fix Text
Disable unnecessary RKE2 components. Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag if any default RKE2 components are unnecessary. Example: disable: rke2-canal disable: rke2-coredns disable: rke2-ingress-nginx disable: rke2-kube-proxy disable: rke2-metrics-server Once the configuration file is updated, restart the RKE2 Server. Run the command: systemctl restart rke2-server
Additional Identifiers
Rule ID: SV-254565r960963_rule
Vulnerability ID: V-254565
Group Title: SRG-APP-000141-CTR-000315
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
CCI-001764 |
Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage. |