zackbradys/rke2-stig-controls

## rke2-stig-controls
--- RKE2 SERVER NODES (CONTROL PLANE) ---
### Setup RKE2 Server
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
secrets-encryption: true
write-kubeconfig-mode: 0600
use-service-account-credentials: true
kube-controller-manager-arg:
- bind-address=127.0.0.1
- use-service-account-credentials=true
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-apiserver-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- authorization-mode=RBAC,Node
- anonymous-auth=false
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
- audit-log-mode=blocking-strict
- audit-log-maxage=30
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- streaming-connection-idle-timeout=5m
server: https://$DOMAIN:9345 (required for additional control plane nodes)
token: $TOKEN
tls-san:
  - $DOMAIN
system-default-registry: $Registry
EOF

### Configure RKE2 Audit Policy
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
  name: rke2-audit-policy
rules:
  - level: Metadata
    resources:
    - group: ""
      resources: ["secrets"]
  - level: RequestResponse
    resources:
    - group: ""
      resources: ["*"]
EOF

--- RKE2 AGENT NODES (WORKERS)
### Setup RKE2 Agent
mkdir -p /etc/rancher/rke2/

### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis-1.23
selinux: true
write-kubeconfig-mode: 0600
kube-apiserver-arg:
- authorization-mode=RBAC,Node
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
server: https://$DOMAIN:9345
token: $TOKEN
system-default-registry: $REGISTRY
EOF
	--- RKE2 SERVER NODES (CONTROL PLANE) ---
	### Setup RKE2 Server
	mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
	useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

	### Configure RKE2 Config
	cat << EOF >> /etc/rancher/rke2/config.yaml
	profile: cis-1.23
	selinux: true
	secrets-encryption: true
	write-kubeconfig-mode: 0600
	use-service-account-credentials: true
	kube-controller-manager-arg:
	- bind-address=127.0.0.1
	- use-service-account-credentials=true
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-scheduler-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	kube-apiserver-arg:
	- tls-min-version=VersionTLS12
	- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	- authorization-mode=RBAC,Node
	- anonymous-auth=false
	- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
	- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
	- audit-log-mode=blocking-strict
	- audit-log-maxage=30
	kubelet-arg:
	- protect-kernel-defaults=true
	- read-only-port=0
	- authorization-mode=Webhook
	- streaming-connection-idle-timeout=5m
	server: https://$DOMAIN:9345 (required for additional control plane nodes)
	token: $TOKEN
	tls-san:
	- $DOMAIN
	system-default-registry: $Registry
	EOF

	### Configure RKE2 Audit Policy
	apiVersion: audit.k8s.io/v1
	kind: Policy
	metadata:
	name: rke2-audit-policy
	rules:
	- level: Metadata
	resources:
	- group: ""
	resources: ["secrets"]
	- level: RequestResponse
	resources:
	- group: ""
	resources: ["*"]
	EOF

	--- RKE2 AGENT NODES (WORKERS)
	### Setup RKE2 Agent
	mkdir -p /etc/rancher/rke2/

	### Configure RKE2 Config
	cat << EOF >> /etc/rancher/rke2/config.yaml
	profile: cis-1.23
	selinux: true
	write-kubeconfig-mode: 0600
	kube-apiserver-arg:
	- authorization-mode=RBAC,Node
	kubelet-arg:
	- protect-kernel-defaults=true
	- read-only-port=0
	- authorization-mode=Webhook
	server: https://$DOMAIN:9345
	token: $TOKEN
	system-default-registry: $REGISTRY
	EOF