RKE2: A Simple to Deploy Secure and Compliant Kubernetes Distribution for Demanding Environments
In the ever-evolving world of container orchestration, Rancher Kubernetes Engine 2 (RKE2) stands out as a powerful and secure solution. This next-generation Kubernetes distribution from Rancher Labs caters specifically to the needs of organizations, particularly those in the U.S. federal government sector, that require robust security and strict compliance adherence.
RKE2 is a CNCF-certified Kubernetes distribution that builds upon the success of its predecessor, RKE, by offering a streamlined, Kubernetes-native experience with enhanced security, performance, and ease of use. RKE2 is designed to address common pain points associated with Kubernetes deployment and management, making it an attractive option for organizations seeking a more accessible Kubernetes solution.
Built for Security and Compliance
RKE2 prioritizes security from the ground up. Here's how it achieves this:
FIPS 140-2 Compliance: RKE2 is compliant with the Federal Information Processing Standards (FIPS) Publication 140-2, a rigorous cryptography standard mandated by the U.S. government for sensitive information systems. Rancher has replaced the go compiler with a compiler that uses the FIPS-validated BoringCrypto module.
SELinux Support: It leverages Security-Enhanced Linux (SELinux) to enforce Mandatory Access Control (MAC), providing an additional layer of security by restricting processes and users from accessing unauthorized resources.
CIS Kubernetes Benchmark Alignment: RKE2's defaults and configuration options are designed to help clusters pass the CIS Kubernetes Benchmark with minimal effort, ensuring adherence to industry best practices for securing Kubernetes deployments.
Regular Vulnerability Scans: The development process incorporates routine scans using Trivy, a popular vulnerability scanner, to identify and address potential security issues in the components. This is for the development of rancher, you still need to implement vulnerability scanning into your pipeline and continuous scanning of the cluster for new vulnerabilities.
DISA STIG-Certified: As of this writing RKE2 is the only DISA STIG certified Kubernetes distrobution and can be installed in some of the most strigent security environments such as the U.S. government Department of Defense. If you are unfamiluar with STIG’s you can read more about them here https://public.cyber.mil/stigs/
Streamlined Operations and Ease of Use
I have recently had the opportunity to deploy RKE2 in a production on-prem environment running Proxmox and I tell you, if you have ever deployed Kubernetes by hand before you know what a pain it can be. RKE2 inherits the user-friendly aspects of its predecessors, RKE (Rancher Kubernetes Engine) and K3s.
This translates to:
Simplified Installation: The installation process is straightforward, and the lablabs ansible role really makes it a breeze to deploy.
Standalone or Integrated Deployment: You can run RKE2 as a standalone Kubernetes distribution or seamlessly integrate it with the Rancher management platform for centralized control and visibility.
Lightweight and Portable: RKE2 is engineered to be lightweight and portable, making it suitable for a wide range of deployment scenarios, from edge computing environments to on-premises data centers and cloud infrastructure. Its minimalistic architecture ensures efficient resource utilization without sacrificing reliability or scalability.
Highly Available and Resilient: RKE2 incorporates built-in support for high availability (HA) and resilience, enabling organizations to deploy robust Kubernetes clusters capable of withstanding node failures and network interruptions. Its advanced clustering capabilities and automated failover mechanisms ensure the continuous availability of critical workloads.
Operator-Friendly: RKE2 adopts a Kubernetes-native approach to cluster management, leveraging familiar tools and APIs to streamline operations. Its declarative configuration model, coupled with robust automation capabilities, simplifies cluster provisioning, scaling, and maintenance tasks, reducing operational overhead and time-to-value.
Conclusion
Regardless if you are a top-secret government agency, a big bank, or in some other regulated industry RKE2's focus on security, compliance, and ease of use makes it a compelling choice for running Kubernetes in mission-critical environments.
