| CNTR-R2-000010 Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-R2-000030 RKE2 must use a centralized user management solution to support account management functions. | ACCESS CONTROL |
| CNTR-R2-000060 Rancher RKE2 components must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, MAINTENANCE |
| CNTR-R2-000100 The Kubernetes Controller Manager must have secure binding. | ACCESS CONTROL |
| CNTR-R2-000110 The Kubernetes Kubelet must have anonymous authentication disabled. | ACCESS CONTROL |
| CNTR-R2-000120 The Kubernetes API server must have the insecure port flag disabled. | ACCESS CONTROL |
| CNTR-R2-000130 The Kubernetes Kubelet must have the read-only port flag disabled. | ACCESS CONTROL |
| CNTR-R2-000140 The Kubernetes API server must have the insecure bind address not set. | ACCESS CONTROL |
| CNTR-R2-000150 The Kubernetes kubelet must enable explicit authorization. | ACCESS CONTROL |
| CNTR-R2-000160 The Kubernetes API server must have anonymous authentication disabled. | ACCESS CONTROL |
| CNTR-R2-000320 All audit records must identify any containers associated with the event within Rancher RKE2. | AUDIT AND ACCOUNTABILITY |
| CNTR-R2-000460 Rancher RKE2 must be built from verified packages. | CONFIGURATION MANAGEMENT |
| CNTR-R2-000520 Configuration and authentication files for Rancher RKE2 must be protected. | CONFIGURATION MANAGEMENT |
| CNTR-R2-000550 Rancher RKE2 must be configured with only essential configurations. | CONFIGURATION MANAGEMENT |
| CNTR-R2-000580 Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. | CONFIGURATION MANAGEMENT |
| CNTR-R2-000800 Rancher RKE2 must store only cryptographic representations of passwords. | IDENTIFICATION AND AUTHENTICATION |
| CNTR-R2-000890 Rancher RKE2 must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after five minutes of inactivity. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-R2-000940 Rancher RKE2 runtime must isolate security functions from nonsecurity functions. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-R2-000970 Rancher RKE2 runtime must maintain separate execution domains for each container by assigning each container a separate address space to prevent unauthorized and unintended information transfer via shared system resources. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-R2-001130 Rancher RKE2 must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | ACCESS CONTROL |
| CNTR-R2-001270 Rancher RKE2 must prohibit the installation of patches, updates, and instantiation of container images without explicit privileged status. | CONFIGURATION MANAGEMENT |
| CNTR-R2-001500 Rancher RKE2 keystore must implement encryption to prevent unauthorized disclosure of information at rest within Rancher RKE2. | SYSTEM AND COMMUNICATIONS PROTECTION |
| CNTR-R2-001580 Rancher RKE2 must remove old components after updated versions have been installed. | SYSTEM AND INFORMATION INTEGRITY |
| CNTR-R2-001620 Rancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs. | SYSTEM AND INFORMATION INTEGRITY |
| DISA_Rancher_Government_Solutions_RKE2_STIG_v2r2.audit from DISA Rancher Government Solutions RKE2 STIG v2r2 | |
