https://rancher.com/ logo
#rke2
Title
# rke2
a

adamant-kite-43734

05/20/2022, 10:39 PM
This message was deleted.
c

creamy-pencil-82913

05/20/2022, 10:43 PM
the controller-manager only has one listener, it’s only used for metrics, and we bind it to localhost. It doesn’t really accept connections from anything, and there’s no confidential information in it
That sounds like someone copy-pasted some text from the apiserver configuration?
s

shy-zebra-53074

05/20/2022, 10:44 PM
for the DISA STIG?
it’s part of their recent k8s release
c

creamy-pencil-82913

05/20/2022, 10:45 PM
interesting
Our hardening guides are all based on the CIS benchmarks
s

shy-zebra-53074

05/20/2022, 10:46 PM
Any interest in working to help make RKE2 comply w/ DISA STIGs as well (required for DoD)
c

creamy-pencil-82913

05/20/2022, 10:46 PM
If it wants extra args set, you can use --kube-apiserver-arg, --kube-controller-manager-arg etc to set those
s

shy-zebra-53074

05/20/2022, 10:46 PM
like if I can provide information during my analysis?
c

creamy-pencil-82913

05/20/2022, 10:47 PM
so --kube-controller-manager-arg=tls-min-version=VersionTLS12
s

shy-zebra-53074

05/20/2022, 10:47 PM
ha awesome yah that’s what I was just typing out
ok perfect ty!
c

creamy-pencil-82913

05/20/2022, 10:48 PM
The RGS guys may have done some work on that already as they are more in tune with the STIG stuff I believe
s

shy-zebra-53074

05/20/2022, 10:48 PM
want me to make a list of things that need to be done to help RKE2 comply w/ DISA STIGs? any interest in community?
c

creamy-pencil-82913

05/20/2022, 10:48 PM
s

shy-zebra-53074

05/20/2022, 10:49 PM
nice… ok thanks!
c

creamy-pencil-82913

05/20/2022, 10:49 PM
RGS / Rancher Federal handle all of our government contracts so they’re the ones that focus on that sort of stuff
s

shy-zebra-53074

05/20/2022, 10:50 PM
got it ok, yah I figured RKE2 seems like it’s geared more towards Federal and esp DoD since it’s difficult to comply with their reqs
1
c

creamy-pencil-82913

05/20/2022, 10:50 PM
I’m not sure how many of them are on this slack but I could probably ask internally if you run into any roadblocks
👍 1
s

shy-zebra-53074

05/20/2022, 10:51 PM
Thanks and I’ll work on a gist of notes of where I may see deltas or run into issues
j

jolly-ocean-26422

05/21/2022, 1:06 AM
I have worked on the Rancher STIGs with the RGS folks and work with them somewhat frequently. Feel free to ping me if you need anything
s

shy-zebra-53074

05/22/2022, 5:47 PM
@jolly-ocean-26422 will do thank you!
@creamy-pencil-82913 is it possible to specify the
kube-controller-manager-arg
arg within the
/etc/rancher/rke2/config.yaml
file?
something like this:
Copy code
kube-controller-manager-arg:
            - tls-min-version=VersionTLS12
yes that seems to have worked! 🙂
7 Views