Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-254571	SRG-APP-000340-CTR-000770	CNTR-R2-001130	SV-254571r1156616_rule	2025-12-28	2

Description
Admission controllers intercept requests to the Kubernetes API before an object is instantiated. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated or deleted. Admissions controllers can be used for: - Prevent pod’s ability to run privileged containers - Prevent pod’s ability to use privileged escalation - Controlling pod’s access to volume types - Controlling pod’s access to host file system - Controlling pod’s usage of host networking objects and configuration Satisfies: SRG-APP-000340-CTR-000770, SRG-APP-000342-CTR-000775

Description

Admission controllers intercept requests to the Kubernetes API before an object is instantiated. Enabling the admissions webhook allows for Kubernetes to apply policies against objects that are to be created, read, updated or deleted. Admissions controllers can be used for: - Prevent pod’s ability to run privileged containers - Prevent pod’s ability to use privileged escalation - Controlling pod’s access to volume types - Controlling pod’s access to host file system - Controlling pod’s usage of host networking objects and configuration Satisfies: SRG-APP-000340-CTR-000770, SRG-APP-000342-CTR-000775

ℹ️ Check
On each controlplane node, retrieve the "pod-security-admission-config-file" value from the RKE2 config file (/etc/rancher/rke2/config.yaml). For example: pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml Validate that the file referenced by "pod-security-admission-config-file" exists and the default configuration settings match the following: defaults: audit: restricted audit-version: latest enforce: restricted enforce-version: latest warn: restricted warn-version: latest If "pod-security-admission-config-file" is not set, the file does not exist, or the configuration file differs from the above, this is a finding.

ℹ️ Check

On each controlplane node, retrieve the "pod-security-admission-config-file" value from the RKE2 config file (/etc/rancher/rke2/config.yaml). For example: pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml Validate that the file referenced by "pod-security-admission-config-file" exists and the default configuration settings match the following: defaults: audit: restricted audit-version: latest enforce: restricted enforce-version: latest warn: restricted warn-version: latest If "pod-security-admission-config-file" is not set, the file does not exist, or the configuration file differs from the above, this is a finding.

✔️ Fix
On each Control Plane node, create the file "/etc/rancher/rke2/rke2-pss-custom.yaml" and add the following content: apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: "restricted" enforce-version: "latest" audit: "restricted" audit-version: "latest" warn: "restricted" warn-version: "latest" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system, tigera-operator] Verify the namespace exemptions contain only namespaces requiring access to capabilities outside of the restricted settings above. Once the file is created, add the following to the RKE2 config file (/etc/rancher/rke2/config.yaml): pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml Once the "pod-security-admission-config-file" has been added, restart the Control Plane nodes with: systemctl restart rke2-server

✔️ Fix

On each Control Plane node, create the file "/etc/rancher/rke2/rke2-pss-custom.yaml" and add the following content: apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: "restricted" enforce-version: "latest" audit: "restricted" audit-version: "latest" warn: "restricted" warn-version: "latest" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cis-operator-system, tigera-operator] Verify the namespace exemptions contain only namespaces requiring access to capabilities outside of the restricted settings above. Once the file is created, add the following to the RKE2 config file (/etc/rancher/rke2/config.yaml): pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml Once the "pod-security-admission-config-file" has been added, restart the Control Plane nodes with: systemctl restart rke2-server