Skip to content

Instantly share code, notes, and snippets.

@sohooo

sohooo/rke2-stig-controls

Forked from zackbradys/rke2-stig-controls
Created December 5, 2025 09:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sohooo/7cc7094821057d1f83a8c7e9b78f08f7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sohooo/7cc7094821057d1f83a8c7e9b78f08f7 to your computer and use it in GitHub Desktop.
Download ZIP
Configuration for the Published DISA STIG for Rancher Kubernetes (RKE2)
Raw
rke2-stig-controls
--- RKE2 SERVER NODES (CONTROL PLANE) ---
### Setup RKE2 Server
mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis
selinux: true
secrets-encryption: true
write-kubeconfig-mode: 0600
embedded-registry: true
use-service-account-credentials: true
kube-controller-manager-arg:
- bind-address=127.0.0.1
- use-service-account-credentials=true
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-apiserver-arg:
- tls-min-version=VersionTLS12
- tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- authorization-mode=RBAC,Node
- anonymous-auth=false
- admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
- audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
- audit-log-mode=blocking-strict
- audit-log-maxage=30
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
- streaming-connection-idle-timeout=5m
server: https://$DOMAIN:9345 (required for additional control plane nodes)
token: $TOKEN
tls-san:
- $DOMAIN
system-default-registry: $Registry
EOF
### Configure RKE2 Audit Policy
apiVersion: audit.k8s.io/v1
kind: Policy
metadata:
name: rke2-audit-policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["secrets"]
- level: RequestResponse
resources:
- group: ""
resources: ["*"]
EOF
--- RKE2 AGENT NODES (WORKERS)
### Setup RKE2 Agent
mkdir -p /etc/rancher/rke2/
### Configure RKE2 Config
cat << EOF >> /etc/rancher/rke2/config.yaml
profile: cis
selinux: true
write-kubeconfig-mode: 0600
kube-apiserver-arg:
- authorization-mode=RBAC,Node
kubelet-arg:
- protect-kernel-defaults=true
- read-only-port=0
- authorization-mode=Webhook
server: https://$DOMAIN:9345
token: $TOKEN
system-default-registry: $REGISTRY
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment