Skip to content

Instantly share code, notes, and snippets.

@sohooo

sohooo/rke2-stig-controls

Forked from zackbradys/rke2-stig-controls
Created December 5, 2025 09:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sohooo/7cc7094821057d1f83a8c7e9b78f08f7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sohooo/7cc7094821057d1f83a8c7e9b78f08f7 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @zackbradys zackbradys revised this gist Dec 3, 2024. 1 changed file with 3 additions and 2 deletions.
    5 changes: 3 additions & 2 deletions rke2-stig-controls
    View file
    Original file line number Diff line number Diff line change
    @@ -5,10 +5,11 @@ useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

    ### Configure RKE2 Config
    cat << EOF >> /etc/rancher/rke2/config.yaml
    profile: cis-1.23
    profile: cis
    selinux: true
    secrets-encryption: true
    write-kubeconfig-mode: 0600
    embedded-registry: true
    use-service-account-credentials: true
    kube-controller-manager-arg:
    - bind-address=127.0.0.1
    @@ -61,7 +62,7 @@ mkdir -p /etc/rancher/rke2/

    ### Configure RKE2 Config
    cat << EOF >> /etc/rancher/rke2/config.yaml
    profile: cis-1.23
    profile: cis
    selinux: true
    write-kubeconfig-mode: 0600
    kube-apiserver-arg:
  2. @zackbradys zackbradys created this gist Jun 4, 2024.
    76 changes: 76 additions & 0 deletions rke2-stig-controls
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,76 @@
    --- RKE2 SERVER NODES (CONTROL PLANE) ---
    ### Setup RKE2 Server
    mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
    useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U

    ### Configure RKE2 Config
    cat << EOF >> /etc/rancher/rke2/config.yaml
    profile: cis-1.23
    selinux: true
    secrets-encryption: true
    write-kubeconfig-mode: 0600
    use-service-account-credentials: true
    kube-controller-manager-arg:
    - bind-address=127.0.0.1
    - use-service-account-credentials=true
    - tls-min-version=VersionTLS12
    - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    kube-scheduler-arg:
    - tls-min-version=VersionTLS12
    - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    kube-apiserver-arg:
    - tls-min-version=VersionTLS12
    - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - authorization-mode=RBAC,Node
    - anonymous-auth=false
    - admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
    - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
    - audit-log-mode=blocking-strict
    - audit-log-maxage=30
    kubelet-arg:
    - protect-kernel-defaults=true
    - read-only-port=0
    - authorization-mode=Webhook
    - streaming-connection-idle-timeout=5m
    server: https://$DOMAIN:9345 (required for additional control plane nodes)
    token: $TOKEN
    tls-san:
    - $DOMAIN
    system-default-registry: $Registry
    EOF

    ### Configure RKE2 Audit Policy
    apiVersion: audit.k8s.io/v1
    kind: Policy
    metadata:
    name: rke2-audit-policy
    rules:
    - level: Metadata
    resources:
    - group: ""
    resources: ["secrets"]
    - level: RequestResponse
    resources:
    - group: ""
    resources: ["*"]
    EOF

    --- RKE2 AGENT NODES (WORKERS)
    ### Setup RKE2 Agent
    mkdir -p /etc/rancher/rke2/

    ### Configure RKE2 Config
    cat << EOF >> /etc/rancher/rke2/config.yaml
    profile: cis-1.23
    selinux: true
    write-kubeconfig-mode: 0600
    kube-apiserver-arg:
    - authorization-mode=RBAC,Node
    kubelet-arg:
    - protect-kernel-defaults=true
    - read-only-port=0
    - authorization-mode=Webhook
    server: https://$DOMAIN:9345
    token: $TOKEN
    system-default-registry: $REGISTRY
    EOF