Rancher RKE2 must be built from verified packages.
An XCCDF Rule
Description
Only RKE2 images that have been properly signed by Rancher Government's authorized key will be deployed to ensure the cluster's security and compliance with organizational policies.
- ID
- SV-268321r1017019_rule
- Version
- CNTR-R2-000460
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Immediate action must be taken to remove non-verifiable images from the cluster and replace them with verifiable images.
Utilize Hauler (https://hauler.dev) to pull and verify RKE2 images from Rancher Government Solutions Carbide Repository.
For more information about pulling Carbide images and their signatures, including RKE2, see:
https://rancherfederal.github.io/carbide-docs/docs/registry-docs/downloading-images