Rancher RKE2 must store only cryptographic representations of passwords.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-254567	SRG-APP-000171-CTR-000435	CNTR-R2-000800	SV-254567r1016559_rule	2024-12-20	2

Description
Secrets, such as passwords, keys, tokens, and certificates should not be stored as environment variables. These environment variables are accessible inside RKE2 by the "Get Pod" API call, and by any system, such as CI/CD pipeline, which has access to the definition file of the container. Secrets must be mounted from files or stored within password vaults.

ℹ️ Check
On the RKE2 Control Plane, run the following commands: kubectl get pods -A kubectl get jobs -A kubectl get cronjobs -A This will output all running pods, jobs, and cronjobs. Evaluate each of the above commands using the respective commands below: kubectl get pod -n <namespace> <pod> -o yaml kubectl get job -n <namespace> <job> -o yaml kubectl get cronjob -n <namespace> <cronjob> -o yaml If any contain sensitive values as environment variables, this is a finding.

ℹ️ Check

On the RKE2 Control Plane, run the following commands: kubectl get pods -A kubectl get jobs -A kubectl get cronjobs -A This will output all running pods, jobs, and cronjobs. Evaluate each of the above commands using the respective commands below: kubectl get pod -n <namespace> <pod> -o yaml kubectl get job -n <namespace> <job> -o yaml kubectl get cronjob -n <namespace> <cronjob> -o yaml If any contain sensitive values as environment variables, this is a finding.

✔️ Fix
Any secrets stored as environment variables must be moved to the secret files with the proper protections and enforcements or placed within a password vault.