Rancher RKE2 must be built from verified packages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268321 | CNTR-R2-000460 | SV-268321r1017019_rule | Medium |
| Description |
| Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies. |
| STIG | Date |
| Rancher Government Solutions RKE2 Security Technical Implementation Guide | 2024-12-20 |
Details
| Check Text (C-72342r1017017_chk) |
| Utilizing Hauler (https://hauler.dev), ensure all RKE2 Kubernetes Container images running in the RKE2 cluster have been obtained and their signatures have been validated and signed by Rancher Government Solutions Private Key. For reference, the public key is available at: https://raw.githubusercontent.com/rancherfederal/carbide-releases/main/carbide-key.pub For more information about verifying the signatures of Carbide images, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images If any RKE2 images are identified as not being signed by the Rancher Government Solutions' private key, this is a finding. |
| Fix Text (F-72245r1017018_fix) |
| Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images. Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository. For more information about pulling Carbide images and their signatures, including RKE2, see: https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images |