Rancher RKE2 must be configured with only essential configurations.

STIG ID: CNTR-R2-000550  |  SRG: SRG-APP-000141-CTR-000315 |  Severity: medium (CAT II)  |  CCI: CCI-000381,CCI-001764 |  Vulnerability Id: V-254565

Vulnerability Discussion

It is important to disable any unnecessary components to reduce any potential attack surfaces.

RKE2 allows disabling the following components:
- rke2-canal
- rke2-coredns
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server

If using any of these components presents a security risk, or if any of the components are not required, they can be disabled by using the "disable" flag.

Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915

Check

Ensure the RKE2 Server configuration file on all RKE2 Server hosts contains a "disable" flag only if there are default RKE2 components that need to be disabled.

If there are no default components that need to be disabled, this is not a finding.

Run this command on the RKE2 Control Plane:
cat /etc/rancher/rke2/config.yaml

RKE2 allows disabling the following components. If any of the components are not required, they can be disabled:
- rke2-canal
- rke2-coredns
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server

If services not in use are enabled, this is a finding.

Fix

Disable unnecessary RKE2 components.

Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag if any default RKE2 components are unnecessary.

Example:
disable:
- rke2-canal
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server
- rke2-coredns

Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server