Rancher RKE2 must be built from verified packages.
An XCCDF Rule
Description
<VulnDiscussion>Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-268321r1017019_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images.
Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository.
For more information about pulling Carbide images and their signatures, including RKE2, see:
https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images