Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

An XCCDF Rule

Description

Admission controllers intercept requests to the Kubernetes API before an object is instantiated. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated or deleted. Admissions controllers can be used for: - Prevent pod’s ability to run privileged containers - Prevent pod’s ability to use privileged escalation - Controlling pod’s access to volume types - Controlling pod’s access to host file system - Controlling pod’s usage of host networking objects and configuration Satisfies: SRG-APP-000340-CTR-000770, SRG-APP-000342-CTR-000775

ID: SV-254571r961353_rule
Version: CNTR-R2-001130
Severity: Medium
References: CCI-002233 CCI-002235
Updated: 6 days ago

Remediation Templates

If using RKE2 v1.24 or older:

On each Control Plane node, create the following policy to a file called restricted.yml.

apiVersion: policy/v1beta1
kind: PodSecurityPolicymetadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: false
#Required to prevent escalations to root.
allowPrivilegeEscalation: false
#This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
# Assume that persistentVolumes set up by the cluster admin are safe to use.
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false

To implement the policy, run the command:

kubectl create -f restricted.yml"

If using RKE v1.25 or newer:

On each Control Plane node, create the file "/etc/rancher/rke2/rke2-pss.yaml" and add the following content:

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: PodSecurity
  configuration:
    apiVersion: pod-security.admission.config.k8s.io/v1beta1
    kind: PodSecurityConfiguration
    defaults:
      enforce: "restricted"
      enforce-version: "latest"
      audit: "restricted"
      audit-version: "latest"
      warn: "restricted"
      warn-version: "latest"
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: [kube-system, cis-operator-system, tigera-operator]

Ensure the namespace exemptions contain only namespaces requiring access to capabilities outside of the restricted settings above.

Once the file is created, restart the Control Plane nodes with:

systemctl restart rke2-server

Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Description

Remediation Templates

A Manual Procedure