Checklist Summary:

The Rancher Government Solutions Multi-Cluster Manager (RGS MCM) Security Technical Implementation Guide (STIG) provides technical requirements for securing basic Kubernetes platforms managed by RGS MCM. There are many capabilities and configurations shared between the underlying Kubernetes cluster and RGS MCM. The shared capabilities and configurations are better applied at the Kubernetes layer and may be considered out-of-scope for this STIG. RGS MCM’s main use case is managing multiple clusters. Best practice of applying security features at this layer through RGS MCM, such as global role-based access control (RBAC), are applicable to this STIG as these can provide security features at the global, multi-cluster level. The Kubernetes cluster runs on top of other components. These components, such as a runtime and a container network interface (CNI), act differently depending on the software (runtime examples are Docker and ContainerD) or the plugin (CNI plugin examples are Flannel, Calico, and Canal) installed. The component also determines what additional security can be implemented for Kubernetes, for example, the CNI installed can determine the type of network policies if they can be implemented. Because of the differences in capabilities, features of Kubernetes components are outside the scope of the RGS MCM STIG, but the components need to be secured. To secure the components outside the scope of this document, use the specific vendor STIG or technology Security Requirements Guide (SRG). Services provided specifically by the underlying Kubernetes distribution are also outside the scope of this document and one must follow the appropriate vendor-specific STIG, if one exists. If a vendor-specific STIG does not exist, the more generic technology SRG must be used. Services must also follow any guidance that pertains to the way the services are implemented. This STIG assumes that only out-of-the-box components of RGS MCM are being used and no special configuration is being provided to swap out any bundled components. This STIG requires that all applicable underlying security controls have been met. A typical stack that Rancher runs on top of consists of infrastructure, hypervisor, operating system, container runtime, and Kubernetes distribution. Proper hardening of the surrounding environment is independent of RGS MCM but ensures overall security stature.

Checklist Role:

• Operating System

Known Issues:

Not provided.

Target Audience:

Parties within the DoD and federal government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) containing DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

Department of Defense Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Disclaimer:

Not provided.

Product Support:

Parties within the DoD and federal government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) containing DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Change to FINAL - 5/26/22
updated URLs - 9/12/2022
Updated URLs per DISA - 7/25/23

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 07/25/2023