https://rancher.com/ logo
Title
s

shy-zebra-53074

05/20/2022, 10:39 PM
Happy Friday! I’m performing an analysis against RKE2 using the DISA STIGs and I came across this one:
Rule Title: The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.

Discussion: The Kubernetes Controller Manager will prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication.

The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle attacks, and impersonation of users or services from the container platform runtime, registry, and key store. To enable the minimum version of TLS to be used by the Kubernetes Controller Manager, the setting "tls-min-version" must be set.

Check Text: Change to the /etc/kubernetes/manifests/ directory on the Kubernetes Master Node. Run the command:

grep -i tls-min-version * 

If the setting "tls-min-version" is not configured in the Kubernetes Controller Manager manifest file or it is set to "VersionTLS10" or "VersionTLS11", this is a finding.

Fix Text: Edit the Kubernetes Controller Manager manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "--tls-min-version" to "VersionTLS12" or higher.
However I don’t see the
tls-min-version
flag set for the
kube-controller-manager
service:
kube-controller-manager --flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins --terminated-pod-gc-threshold=1000 --permit-port-sharing=true --cloud-provider=aws --cloud-config= --allocate-node-cidrs=true --authentication-kubeconfig=/var/lib/rancher/rke2/server/cred/controller.kubeconfig --authorization-kubeconfig=/var/lib/rancher/rke2/server/cred/controller.kubeconfig --bind-address=127.0.0.1 --cluster-cidr=10.0.0.0/12 --cluster-signing-kube-apiserver-client-cert-file=/var/lib/rancher/rke2/server/tls/client-ca.crt --cluster-signing-kube-apiserver-client-key-file=/var/lib/rancher/rke2/server/tls/client-ca.key --cluster-signing-kubelet-client-cert-file=/var/lib/rancher/rke2/server/tls/client-ca.crt --cluster-signing-kubelet-client-key-file=/var/lib/rancher/rke2/server/tls/client-ca.key --cluster-signing-kubelet-serving-cert-file=/var/lib/rancher/rke2/server/tls/server-ca.crt --cluster-signing-kubelet-serving-key-file=/var/lib/rancher/rke2/server/tls/server-ca.key --cluster-signing-legacy-unknown-cert-file=/var/lib/rancher/rke2/server/tls/client-ca.crt --cluster-signing-legacy-unknown-key-file=/var/lib/rancher/rke2/server/tls/client-ca.key --feature-gates=JobTrackingWithFinalizers=true --kubeconfig=/var/lib/rancher/rke2/server/cred/controller.kubeconfig --profiling=false --root-ca-file=/var/lib/rancher/rke2/server/tls/server-ca.crt --secure-port=10257 --service-account-private-key-file=/var/lib/rancher/rke2/server/tls/service.key --use-service-account-credentials=true
c

creamy-pencil-82913

05/20/2022, 10:43 PM
the controller-manager only has one listener, it’s only used for metrics, and we bind it to localhost. It doesn’t really accept connections from anything, and there’s no confidential information in it
That sounds like someone copy-pasted some text from the apiserver configuration?
s

shy-zebra-53074

05/20/2022, 10:44 PM
for the DISA STIG?
it’s part of their recent k8s release
c

creamy-pencil-82913

05/20/2022, 10:45 PM
interesting
Our hardening guides are all based on the CIS benchmarks
s

shy-zebra-53074

05/20/2022, 10:46 PM
Any interest in working to help make RKE2 comply w/ DISA STIGs as well (required for DoD)
c

creamy-pencil-82913

05/20/2022, 10:46 PM
If it wants extra args set, you can use --kube-apiserver-arg, --kube-controller-manager-arg etc to set those
s

shy-zebra-53074

05/20/2022, 10:46 PM
like if I can provide information during my analysis?
c

creamy-pencil-82913

05/20/2022, 10:47 PM
so --kube-controller-manager-arg=tls-min-version=VersionTLS12
s

shy-zebra-53074

05/20/2022, 10:47 PM
ha awesome yah that’s what I was just typing out
ok perfect ty!
c

creamy-pencil-82913

05/20/2022, 10:48 PM
The RGS guys may have done some work on that already as they are more in tune with the STIG stuff I believe
s

shy-zebra-53074

05/20/2022, 10:48 PM
want me to make a list of things that need to be done to help RKE2 comply w/ DISA STIGs? any interest in community?
c

creamy-pencil-82913

05/20/2022, 10:48 PM
s

shy-zebra-53074

05/20/2022, 10:49 PM
nice… ok thanks!
c

creamy-pencil-82913

05/20/2022, 10:49 PM
RGS / Rancher Federal handle all of our government contracts so they’re the ones that focus on that sort of stuff
s

shy-zebra-53074

05/20/2022, 10:50 PM
got it ok, yah I figured RKE2 seems like it’s geared more towards Federal and esp DoD since it’s difficult to comply with their reqs
1
c

creamy-pencil-82913

05/20/2022, 10:50 PM
I’m not sure how many of them are on this slack but I could probably ask internally if you run into any roadblocks
👍 1
s

shy-zebra-53074

05/20/2022, 10:51 PM
Thanks and I’ll work on a gist of notes of where I may see deltas or run into issues
j

jolly-ocean-26422

05/21/2022, 1:06 AM
I have worked on the Rancher STIGs with the RGS folks and work with them somewhat frequently. Feel free to ping me if you need anything
s

shy-zebra-53074

05/22/2022, 5:47 PM
@jolly-ocean-26422 will do thank you!
@creamy-pencil-82913 is it possible to specify the
kube-controller-manager-arg
arg within the
/etc/rancher/rke2/config.yaml
file?
something like this:
kube-controller-manager-arg:
            - tls-min-version=VersionTLS12
yes that seems to have worked! 🙂