Rancher RKE2 must be configured with only essential configurations.
An XCCDF Rule
Description
<VulnDiscussion>It is important to disable any unnecessary components to reduce any potential attack surfaces. RKE2 allows disabling the following components: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If utilizing any of these components presents a security risk, or if any of the components are not required then they can be disabled by using the "disable" flag. If any of the components are not required, they can be disabled by using the "disable" flag. Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-254565r918259_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Disable unnecessary RKE2 components.
Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag if any default RKE2 components are unnecessary.
Example:
disable: rke2-canal