Created
June 4, 2024 18:46
-
-
Save zackbradys/f9a1bb14a50546f1a73e04b120069688 to your computer and use it in GitHub Desktop.
Configuration for the Published DISA STIG for Rancher Kubernetes (RKE2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- RKE2 SERVER NODES (CONTROL PLANE) --- | |
### Setup RKE2 Server | |
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ | |
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
secrets-encryption: true | |
write-kubeconfig-mode: 0600 | |
use-service-account-credentials: true | |
kube-controller-manager-arg: | |
- bind-address=127.0.0.1 | |
- use-service-account-credentials=true | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-scheduler-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
kube-apiserver-arg: | |
- tls-min-version=VersionTLS12 | |
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
- authorization-mode=RBAC,Node | |
- anonymous-auth=false | |
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml | |
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml | |
- audit-log-mode=blocking-strict | |
- audit-log-maxage=30 | |
kubelet-arg: | |
- protect-kernel-defaults=true | |
- read-only-port=0 | |
- authorization-mode=Webhook | |
- streaming-connection-idle-timeout=5m | |
server: https://$DOMAIN:9345 (required for additional control plane nodes) | |
token: $TOKEN | |
tls-san: | |
- $DOMAIN | |
system-default-registry: $Registry | |
EOF | |
### Configure RKE2 Audit Policy | |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
metadata: | |
name: rke2-audit-policy | |
rules: | |
- level: Metadata | |
resources: | |
- group: "" | |
resources: ["secrets"] | |
- level: RequestResponse | |
resources: | |
- group: "" | |
resources: ["*"] | |
EOF | |
--- RKE2 AGENT NODES (WORKERS) | |
### Setup RKE2 Agent | |
mkdir -p /etc/rancher/rke2/ | |
### Configure RKE2 Config | |
cat << EOF >> /etc/rancher/rke2/config.yaml | |
profile: cis-1.23 | |
selinux: true | |
write-kubeconfig-mode: 0600 | |
kube-apiserver-arg: | |
- authorization-mode=RBAC,Node | |
kubelet-arg: | |
- protect-kernel-defaults=true | |
- read-only-port=0 | |
- authorization-mode=Webhook | |
server: https://$DOMAIN:9345 | |
token: $TOKEN | |
system-default-registry: $REGISTRY | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment