| CNTR-R2-000010 | Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. |
| CNTR-R2-000030 | RKE2 must use a centralized user management solution to support account management functions. |
| CNTR-R2-000060 | Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. |
| CNTR-R2-000100 | The Kubernetes Controller Manager must have secure binding. |
| CNTR-R2-000110 | The Kubernetes Kubelet must have anonymous authentication disabled. |
| CNTR-R2-000120 | The Kubernetes API server must have the insecure port flag disabled. |
| CNTR-R2-000130 | The Kubernetes Kubelet must have the read-only port flag disabled. |
| CNTR-R2-000140 | The Kubernetes API server must have the insecure bind address not set. |
| CNTR-R2-000150 | The Kubernetes kubelet must enable explicit authorization. |
| CNTR-R2-000160 | The Kubernetes API server must have anonymous authentication disabled. |
| CNTR-R2-000320 | All audit records must identify any containers associated with the event within Rancher RKE2. |
| CNTR-R2-000520 | Configuration and authentication files for Rancher RKE2 must be protected. |
| CNTR-R2-000550 | Rancher RKE2 must be configured with only essential configurations. |
| CNTR-R2-000580 | Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. |
| CNTR-R2-000800 | Rancher RKE2 must store only cryptographic representations of passwords. |
| CNTR-R2-000890 | Rancher RKE2 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after five minutes of inactivity. |
| CNTR-R2-000940 | Rancher RKE2 runtime must isolate security functions from nonsecurity functions. |
| CNTR-R2-000970 | Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources. |
| CNTR-R2-001130 | Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| CNTR-R2-001270 | Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status. |
| CNTR-R2-001500 | Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2. |
| CNTR-R2-001580 | Rancher RKE2 must remove old components after updated versions have been installed. |
| CNTR-R2-001620 | Rancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs. |
| CNTR-R2-000460 | Rancher RKE2 must be built from verified packages. |