V-254553
SV-254553r1188297_rule
CAT I
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
From: Rancher Government Solutions RKE2 Security Technical Implementation Guide (V2R6)
Description
<VulnDiscussion>Use strong TLS settings.
RKE2 uses FIPS validated BoringCrypto modules. RKE2 Server can prohibit the use of SSL and unauthorized versions of TLS protocols to properly secure communication. There is a lot of traffic between RKE2 nodes to deploy, update, and delete resources so it is important to set strong TLS settings on top of this default feature. It is also important to use approved cypher suites. This ensures the protection of the transmitted information, confidentiality, and integrity so that the attacker cannot read or alter this communication.
The use of unsupported protocol exposes vulnerabilities to the Kubernetes by rogue traffic interceptions, man-in-the-middle attacks, and impersonation of users or services from the container platform runtime, registry, and key store.
To enable the enforcement of minimum version of TLS and cipher suites to be used by the various components of RKE2, the settings "tls-min-version" and "tls-cipher-suites" must be set.
Further documentation of the FIPS modules can be found here: https://docs.rke2.io/security/fips_support.
Satisfies: SRG-APP-000014-CTR-000035, SRG-APP-000014-CTR-000040, SRG-APP-000219-CTR-000550, SRG-APP-000441-CTR-001090, SRG-APP-000442-CTR-001095, SRG-APP-000514-CTR-001315, SRG-APP-000560-CTR-001340, SRG-APP-000605-CTR-001380, SRG-APP-000610-CTR-001385, SRG-APP-000635-CTR-001405, SRG-APP-000645-CTR-001410</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Use strong TLS settings.
On the RKE2 server, run each command:
/bin/ps -ef | grep kube-apiserver | grep -v grep
/bin/ps -ef | grep kube-controller-manager | grep -v grep
/bin/ps -ef | grep kube-scheduler | grep -v grep
For each, look for the existence of tls-min-version (use this command for an aid "| grep tls-min-version").
If the setting "tls-min-version" is not configured or it is set to "VersionTLS10" or "VersionTLS11", this is a finding.
For each, look for the existence of the tls-cipher-suites.
If "tls-cipher-suites" is not set for all servers, or does not contain the following, this is a finding.
--tls-cipher-suites=suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Fix Text
Configure the use of strong TLS settings.
Edit the RKE2 server configuration file on all RKE2 server hosts, located at "/etc/rancher/rke2/config.yaml", to contain the following:
kube-controller-manager-arg:
"tls-min-version=VersionTLS12" [or higher]
"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" kube-scheduler-arg:
"tls-min-version=VersionTLS12"
"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" kube-apiserver-arg:
"tls-min-version=VersionTLS12"
"tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
Once the configuration file is updated, restart the RKE2 server using the command:
systemctl restart rke2-server
CCI Reference
CCI-000068,CCI-000185,CCI-000382,CCI-000803,CCI-001184,CCI-001453,CCI-002420,CCI-002422,CCI-002450- Created
- 2026-04-07 20:08:31
- Last Updated
- 2026-04-07 20:08:31