Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-254573 | CNTR-R2-001500 | SV-254573r1050650_rule | High |
| Description |
| Encrypting secrets at rest in etcd. By default, RKE2 will create an encryption key and configuration file and pass these to the Kubernetes API server. The result is that RKE2 automatically encrypts Kubernetes Secret objects when writing them to etcd. |
| STIG | Date |
| Rancher Government Solutions RKE2 Security Technical Implementation Guide | 2024-12-20 |
Details
| Check Text (C-58057r1016543_chk) |
| This is Not Applicable for RKE2 versions 1.20 and greater. Review the encryption configuration file. As root or with root permissions, run the following command: view /var/lib/rancher/rke2/server/cred/encryption-config.json Ensure the RKE2 configuration file on all RKE2 servers, located at /etc/rancher/rke2/config.yaml, does NOT contain: secrets-encryption: false If secrets encryption is turned off, this is a finding. |
| Fix Text (F-58006r1016544_fix) |
| This is Not Applicable for RKE2 versions 1.20 and greater. Enable secrets encryption. Edit the RKE2 configuration file on all RKE2 servers, located at /etc/rancher/rke2/config.yaml, so that it contains: secrets-encryption: true |