Security Certifications
New to containers or looking to expand your knowledge? Our RGS team shares detailed product insights and relevant customer experiences in our resource library to support you on your Kubernetes journey.
DISA STIG Guides
Rancher Government Solutions is currently in the process of developing and maintaining Rancher and RKE2 STIGs with DISA. We allow our customers to access these in-flight for further reference and encourage any feedback you may have.
Rancher STIG
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RGS_MCM_V1R2_STIG.zip
RKE2 STIG
DISA Validates Rancher Government Solutions’ Kubernetes Distribution, RKE2 Security Technical Implementation Guide
https://public.cyber.mil/announcement/disa-releases-the-rancher-government-solutions-rke2-security-technical-implementation-guide/
The following STIG documents address many generic configurations that any Kubernetes cluster should follow. RKE2 is very secure by default so a large portion of these is already built into RKE2, and the remaining can be either configured in a very declarative fashion or mitigated by other certified Rancher integrations. Note that both of these documents assume generic Kubernetes clusters so things like file paths may not be 1:1 to how RKE2 does things but they can still help with security by providing even more evidence of a secure cluster.
Kubernetes STIG – Ver 1, Rel 5:
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R5_STIG.zip
This is the generic platform STIG and can also be used as a generic reference to ensure you’re covering all controls.
Container Platform SRG – Ver 1, Rel 1
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip
FIPS 140-2 Certified
The Federal Information Processing Standard, FIPS, is a U.S. Government security standard used to approve cryptographic modules. Rancher Government Solutions delivers secure Kubernetes to federal programs with certified FIPS-140-2 cryptographic libraries for RKE2.
The Center for Internet Security (CIS – https://www.cisecurity.org/benchmark/kubernetes/) is an accepted third-party and nonprofit organization whose mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace” (https://www.cisecurity.org/about-us/).
RGS takes these benchmarks and either builds the controls directly into RKE2 or allows for the configuration to be applied extremely easily via automated scripts and input parameters. In addition to applying the benchmarks, we also build tools that can periodically scan security configurations to enforce this compliance.
Enumerating the controls contained in these documents can also provide a large body of evidence needed for security approvals.
Consult the following resources for information about hardening your cluster according to the CIS benchmarks:
- RKE2 CIS Hardening Guide
https://docs.rke2.io/security/hardening_guide/ - RKE2 CIS Self-Assessment Guide
https://docs.rke2.io/security/cis_self_assessment/ - CIS Automated Scanning
https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/ - Rancher CIS Hardening Guide
https://rancher.com/docs/rancher/v2.x/en/security/rancher-2.5/1.6-hardening-2.5/ - Rancher CIS Self-Assessment Guide
https://rancher.com/docs/rancher/v2.x/en/security/rancher-2.5/1.6-benchmark-2.5/
USAF Iron Bank
Rancher Government Solutions (RGS) works closely with SUSE Labs to ensure images are secure and up to government standards wherever possible. RGS also develops and maintains pipelines with Platform One’s Iron Bank to provide hardened versions of images available to all teams with access to Iron Bank.
Iron Bank images require the following functions:
- CVE vulnerability feedback
- RGS and SUSE Labs both independently scan images and work together to mitigate findings
- SUSE Labs has automated processes for scanning images before they are pushed and creating mitigation tasks internally for engineers to fix findings
- Image rebuilds
- In addition to ensuring images in docker.io/rancher are secure, RGS works with the Platform One team to rebuild images for pushing into the Iron Bank repositories
- SUSE Labs-backed image rebuild process ensuring SUSE Labs supported end results
- Re-scanned with Iron Bank scanners : Twistlock, Trivy, Anchore CVE + Compliance
- Uses Iron Bank certified base images for more security.