This message was deleted.
# rke2a
adamant-kite-43734
05/20/2022, 10:39 PMThis message was deleted.
c
creamy-pencil-82913
05/20/2022, 10:43 PMthe controller-manager only has one listener, it’s only used for metrics, and we bind it to localhost. It doesn’t really accept connections from anything, and there’s no confidential information in it
creamy-pencil-82913
05/20/2022, 10:43 PMThat sounds like someone copy-pasted some text from the apiserver configuration?
s
shy-zebra-53074
05/20/2022, 10:44 PMfor the DISA STIG?
shy-zebra-53074
05/20/2022, 10:44 PMit’s part of their recent k8s release
c
creamy-pencil-82913
05/20/2022, 10:45 PMinteresting
creamy-pencil-82913
05/20/2022, 10:45 PMOur hardening guides are all based on the CIS benchmarks
s
shy-zebra-53074
05/20/2022, 10:46 PMAny interest in working to help make RKE2 comply w/ DISA STIGs as well (required for DoD)
c
creamy-pencil-82913
05/20/2022, 10:46 PMIf it wants extra args set, you can use --kube-apiserver-arg, --kube-controller-manager-arg etc to set those
s
shy-zebra-53074
05/20/2022, 10:46 PMlike if I can provide information during my analysis?
c
creamy-pencil-82913
05/20/2022, 10:47 PMso --kube-controller-manager-arg=tls-min-version=VersionTLS12
s
shy-zebra-53074
05/20/2022, 10:47 PMha awesome yah that’s what I was just typing out
shy-zebra-53074
05/20/2022, 10:47 PMok perfect ty!
c
creamy-pencil-82913
05/20/2022, 10:48 PMThe RGS guys may have done some work on that already as they are more in tune with the STIG stuff I believe
s
shy-zebra-53074
05/20/2022, 10:48 PMwant me to make a list of things that need to be done to help RKE2 comply w/ DISA STIGs? any interest in community?
c
creamy-pencil-82913
05/20/2022, 10:48 PMs
shy-zebra-53074
05/20/2022, 10:49 PMnice… ok thanks!
c
creamy-pencil-82913
05/20/2022, 10:49 PMRGS / Rancher Federal handle all of our government contracts so they’re the ones that focus on that sort of stuff
s
shy-zebra-53074
05/20/2022, 10:50 PMgot it ok, yah I figured RKE2 seems like it’s geared more towards Federal and esp DoD since it’s difficult to comply with their reqs
✅ 1
c
creamy-pencil-82913
05/20/2022, 10:50 PMI’m not sure how many of them are on this slack but I could probably ask internally if you run into any roadblocks
👍 1
s
shy-zebra-53074
05/20/2022, 10:51 PMThanks and I’ll work on a gist of notes of where I may see deltas or run into issues
j
jolly-ocean-26422
05/21/2022, 1:06 AMI have worked on the Rancher STIGs with the RGS folks and work with them somewhat frequently. Feel free to ping me if you need anything
s
shy-zebra-53074
05/22/2022, 5:47 PM@jolly-ocean-26422 will do thank you!
shy-zebra-53074
05/23/2022, 2:18 PM@creamy-pencil-82913 is it possible to specify the
kube-controller-manager-arg/etc/rancher/rke2/config.yamlshy-zebra-53074
05/23/2022, 2:18 PMsomething like this:
Copy code
kube-controller-manager-arg:
- tls-min-version=VersionTLS12shy-zebra-53074
05/23/2022, 4:50 PMyes that seems to have worked! 🙂
9 Views