STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Rancher Government Solutions RKE2 Security Technical Implementation Guide

V-254565

CAT II (Medium)

Rancher RKE2 must be configured with only essential configurations.

Rule ID

SV-254565r1208189_rule

STIG

Rancher Government Solutions RKE2 Security Technical Implementation Guide

Version

V2R7

CCIs

CCI-000381CCI-001764

Discussion

It is important to disable any unnecessary components to reduce any potential attack surfaces. RKE2 allows disabling the following components: - rke2-canal - rke2-coredns - rke2-ingress-nginx - rke2-kube-proxy - rke2-metrics-server If using any of these components presents a security risk, or if any of the components are not required, they can be disabled by using the "disable" flag. Satisfies: SRG-APP-000141-CTR-000315, SRG-APP-000384-CTR-000915

Check Content

Ensure the RKE2 Server configuration file on all RKE2 Server hosts contains a "disable" flag only if there are default RKE2 components that need to be disabled. 

If there are no default components that need to be disabled, this is not a finding.

Run this command on the RKE2 Control Plane:
cat /etc/rancher/rke2/config.yaml

RKE2 allows disabling the following components. If any of the components are not required, they can be disabled:
- rke2-canal
- rke2-coredns
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server

If services not in use are enabled, this is a finding.

Fix Text

Disable unnecessary RKE2 components.

Edit the RKE2 Server configuration file on all RKE2 Server hosts, located at /etc/rancher/rke2/config.yaml, so that it contains a "disable" flag if any default RKE2 components are unnecessary. 

Example:
disable:
- rke2-canal
- rke2-ingress-nginx
- rke2-kube-proxy
- rke2-metrics-server
- rke2-coredns

Once the configuration file is updated, restart the RKE2 Server. Run the command:
systemctl restart rke2-server