v2.9.0 RHEL9.4 RKE1.28.10+rke2r1 [Full]

Article summary

Did you find this summary helpful?

Thank you for your feedback!

Date of Release: 17/04/2025

Version Information

-	Version	Hardening References
Red Hat Enterprise Linux	9.4	USG STIGs ver 1 rel 14
Rancher Kubernetes Engine Government (RKE2)	v1.28.10	CIS v1.23
Glasswall Halo	2.9.0	SAST, DAST, SCA and Container Security Reports available on request

System Requirements

Minimum

16 vCPU
32 GB RAM

Base OS Information

SELinux is Enforcing
No USG STIG banner message by default (configurable)
The local glasswall system account now requires a password to escalate privileges in the sudoers.
The bootloader password has been set in accordance with STIG requirements. This can be provided upon request.
Password history enforcement implemented as per SANS CIS Kubernetes Benchmark:
- Password reuse is prohibited for a minimum of five generations.
Random number generator used for generating cryptographic keys has been enabled.
Audit policy log level for the kube-apiserver has been set to RequestResponse, as recommended by SANS CIS Kubernetes Benchmarks.
The kube-apiserver audit log path has been rerouted from /var/lib/rancher to /var/log/rancher for improved log visibility.
syslog can be configured on the virtual machine by referencing these steps
- Optionally, syslog can be configured to send RKE2 audit logs by adding the below snippet into /etc/syslog-ng/syslog-ng.conf after the source s_pods block, and restarting the syslog daemon using sudo systemctl restart syslog-ng:
```
source s_rke2 {
    wildcard-file(
        base-dir("/var/log/rancher")
        filename-pattern("*")
        recursive(yes)
        follow-freq(60)
    );
};
log { source(s_rke2); filter(f_default); destination(remote); };
```
Password quality policy updated to enforce:
- Length: Minimum of 15 characters.
- Complexity:
  - At least 1 uppercase letter (e.g., A)
  - At least 1 lowercase letter (e.g., a)
  - At least 1 digit (e.g., 1)
  - At least 1 special character (e.g., !)
- Avoid:
  - More than 3 consecutive identical characters (e.g., aaa)
  - More than 4 consecutive characters of the same type (e.g., 1111, AAAA)
  - Passwords that are not significantly different (must differ by at least 8 characters)
  - Inclusion of username or dictionary-based words
AIDE has been preconfigured to run daily on key configuration files.
TLS Protocols and ciphers have been updated inline with the following:

ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" 
ssl-protocols: "TLSv1.2 TLSv1.3

Kubernetes Information

CNI plugin: Canal

Glasswall Halo Information

Currently deployed services and Helm charts:

cdrplatform-engine
cdrplatform-sync-api
cdrplatform-report-extractor
cdrplatform-portal
cdrplatform-policy-api
cdrplatform-api-access
cdrplatform-portal-access
cdrplatform-license-management
cdrplatform-cleanup
cdrplatform-async-api
cdrplatform-metrics-collation
cdrplatform-metrics-projection
cdrplatform-rabbitmq
cdrplatform-storage
nginx-ingress

Please refer to the Glasswall Halo V2.9.0 Release Notes for more information.

Was this article helpful?

What's Next

v2.8.0 RHEL9.4 RKE1.28.10+rke2r1 [Full]

Table of contents

Version Information
System Requirements
Recommended
Minimum
Base OS Information
Kubernetes Information
Glasswall Halo Information