Rancher Government Solutions RKE2 STIG Version Comparison

There are 8 differences between versions v1 r5 (April 24, 2024) (the "left" version) and v2 r2 (Oct. 24, 2024) (the "right" version).

Check CNTR-R2-000460 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

Rancher RKE2 must be built from verified packages.

Check Content

Utilizing Hauler (https://hauler.dev), ensure all RKE2 Kubernetes Container images running in the RKE2 cluster have been obtained and their signatures have been validated and signed by Rancher Government Solutions Private Key. For reference, the public key is available at: https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub For more information about verifying the signatures of Carbide images, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images If any RKE2 images are identified as not being signed by the Rancher Government Solutions' private key, this is a finding.

Discussion

Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.

Fix

Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images. Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository. For more information about pulling Carbide images and their signatures, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images