Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.

An XCCDF Rule

Description

<VulnDiscussion>The container platform and its components will adhere to NIST 800-52R2. To ensure that traffic coming through the ingress controller is re-encrypted internally, switch off port 80 on the service object and direct ingress traffic to port 443 over HTTPS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-252849r918224_rule
Severity: High
References: CCI-000382
Updated: about 1 year ago

Gather the current values of the Rancher deployment by running the following:

helm get values -n cattle-system rancher > /tmp/rancher-values.yaml

Create another values file to upgrade Rancher's ingress object for HTTPS. Add the following to "/tmp/rancher-ingress-values.yaml":
ingress:
  extraAnnotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # If using NGINX ingress
    traefik.ingress.kubernetes.io/router.tls: "true" # If using Traefik ingress
  servicePort: 443

If using a different ingress controller than NGINX or Traefik, other annotations may need to be added to ensure the controller knows the Rancher backend is HTTPS.

Upgrade Rancher, referencing the two files created:

helm upgrade -n cattle-system -f /tmp/rancher-values.yaml -f /tmp/rancher-ingress-values.yaml rancher rancher-stable/rancher --version=CURRENT_RANCHER_VERSION

Once Rancher ingress has been updated and it has been verified that Rancher is still accessible, run the following command to create NetworkPolicies that will block all traffic to Rancher with the exception of HTTPS:

cat <<EOF | kubectl apply -f -
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: rancher-allow-https
  namespace: cattle-system
spec:
  podSelector:
    matchLabels:
      app: rancher
  ingress:
  - ports:
    - port: 444
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: rancher-deny-ingress
  namespace: cattle-system
spec:
  podSelector:
    matchLabels:
      app: rancher
  policyTypes:
  - Ingress
EOF

Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.

Description

Remediation - Manual Procedure