From d1e2aec93993fe7ab4ca6ce1626f1d234a79cfa0 Mon Sep 17 00:00:00 2001 From: Vipin Sharma Date: Tue, 17 Mar 2026 11:30:39 -0700 Subject: [PATCH 1/3] PE-8352 Set rp_filter mode to disable. This causes issue with CNI and specifically in overlay network --- rhel-stig/README.md | 2 ++ rhel-stig/stig-remediate.sh | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/rhel-stig/README.md b/rhel-stig/README.md index 5387d0ea..c550be2e 100644 --- a/rhel-stig/README.md +++ b/rhel-stig/README.md @@ -143,6 +143,8 @@ The build process automatically applies STIG remediation rules including: STIG disables `net.ipv4.ip_forward` and `net.ipv4.conf.all.forwarding` for general servers. Kubernetes nodes require both `=1` for CNI pod networking (Calico, Flannel, etc.). The build overrides STIG via `/etc/sysctl.d/99-zzz-kubernetes-ip-forward.conf` and applies it during build. +STIG sets `rp_filter=1` (strict); overlay clusters (Calico, etc.) require `rp_filter=0`. The build overrides via `/etc/sysctl.d/99-zzz-kubernetes-rp-filter.conf`. + ### Firewall Configuration No firewall ports or zones are opened by default. Configure firewall rules via **user-data** or **cluster profile** as needed for your environment. diff --git a/rhel-stig/stig-remediate.sh b/rhel-stig/stig-remediate.sh index 26fcc85b..c620558f 100755 --- a/rhel-stig/stig-remediate.sh +++ b/rhel-stig/stig-remediate.sh @@ -358,6 +358,31 @@ current=$(cat /proc/sys/net/ipv4/ip_forward 2>/dev/null || echo "MISSING") current_all=$(cat /proc/sys/net/ipv4/conf/all/forwarding 2>/dev/null || echo "MISSING") print_debug "Runtime after apply: net.ipv4.ip_forward=$current net.ipv4.conf.all.forwarding=$current_all" +# STIG sets rp_filter=1 (strict); overlay clusters/CNI require rp_filter=0 for pod networking +echo "Applying Kubernetes exception: net.ipv4.conf.all.rp_filter=0 and net.ipv4.conf.default.rp_filter=0 (required for overlay clusters)..." + +shopt -s nullglob +for f in /etc/sysctl.conf /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do + [ -f "$f" ] || continue + sed -i \ + -e 's/^[[:space:]]*net\.ipv4\.conf\.all\.rp_filter[[:space:]]*=.*$/# STIG exception (Kubernetes overlay clusters require rp_filter=0): &/' \ + -e 's/^[[:space:]]*net\.ipv4\.conf\.default\.rp_filter[[:space:]]*=.*$/# STIG exception (Kubernetes overlay clusters require rp_filter=0): &/' \ + "$f" 2>/dev/null || true +done +shopt -u nullglob 2>/dev/null || true + +cat > /etc/sysctl.d/99-zzz-kubernetes-rp-filter.conf <<'EOF' +# Kubernetes exception: STIG sets rp_filter=1; overlay clusters (Calico, etc.) require rp_filter=0 +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.default.rp_filter = 0 +EOF +chown root:root /etc/sysctl.d/99-zzz-kubernetes-rp-filter.conf +chmod 0644 /etc/sysctl.d/99-zzz-kubernetes-rp-filter.conf + +/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0 2>/dev/null || true +/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0 2>/dev/null || true +/sbin/sysctl --system 2>/dev/null || true + # Ensure required drivers and modules are in dracut config (backup in case STIG removed them) for conf_file in /etc/dracut.conf.d/*.conf; do if [ -f "$conf_file" ]; then From 87a5a8ef5ee18cf24a988856e898d7ab6a6c12ec Mon Sep 17 00:00:00 2001 From: Vipin Sharma Date: Tue, 17 Mar 2026 15:33:11 -0700 Subject: [PATCH 2/3] Fix the rp_filter config. It was not applied to ens160 , added wildcard config to catch all itnerfaces. --- rhel-stig/build.sh.rhel9 | 2 +- rhel-stig/stig-remediate.sh | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rhel-stig/build.sh.rhel9 b/rhel-stig/build.sh.rhel9 index 3af19ab3..81a4f16d 100755 --- a/rhel-stig/build.sh.rhel9 +++ b/rhel-stig/build.sh.rhel9 @@ -10,5 +10,5 @@ if [ "$FIPS_ENABLED" = "true" ]; then docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" -f Dockerfile.rhel9-fips . else echo "Building RHEL 9 STIG image..." - docker build --no-cache --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" -f Dockerfile.rhel9 . + docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" -f Dockerfile.rhel9 . fi diff --git a/rhel-stig/stig-remediate.sh b/rhel-stig/stig-remediate.sh index c620558f..fef1b75b 100755 --- a/rhel-stig/stig-remediate.sh +++ b/rhel-stig/stig-remediate.sh @@ -372,7 +372,9 @@ done shopt -u nullglob 2>/dev/null || true cat > /etc/sysctl.d/99-zzz-kubernetes-rp-filter.conf <<'EOF' -# Kubernetes exception: STIG sets rp_filter=1; overlay clusters (Calico, etc.) require rp_filter=0 +# Kubernetes exception: STIG/Red Hat set rp_filter=1; overlay clusters (Calico, etc.) require rp_filter=0 +# 50-redhat.conf uses net.ipv4.conf.*.rp_filter=1 per-interface; override with same wildcard (loads later) +net.ipv4.conf.*.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 EOF From 79d097f67b58ba180c5a7a0cc0dd48219fd38271 Mon Sep 17 00:00:00 2001 From: Vipin Sharma Date: Tue, 17 Mar 2026 17:17:45 -0700 Subject: [PATCH 3/3] Fix the secrets passed during build. (#570) * Fix the secrets passed during build. * Enable cache --- rhel-stig/Dockerfile.rhel9 | 11 ++++++----- rhel-stig/Dockerfile.rhel9-fips | 11 ++++++----- rhel-stig/README.md | 6 ++++-- rhel-stig/build.sh.rhel9 | 18 ++++++++++++++++-- 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/rhel-stig/Dockerfile.rhel9 b/rhel-stig/Dockerfile.rhel9 index d7b86f06..0f20c63f 100644 --- a/rhel-stig/Dockerfile.rhel9 +++ b/rhel-stig/Dockerfile.rhel9 @@ -1,17 +1,18 @@ FROM quay.io/kairos/kairos-init:v0.5.28 AS kairos-init FROM registry.access.redhat.com/ubi9-init:9.4-6 -ARG USERNAME -ARG PASSWORD ARG KAIROS_VERSION=v3.5.9 RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y -# Subscription manager in redhat does not run directly in containers unless you run on a redhat host, hence we remove the rhsm-host, login to the redhat subscription and add the repos -RUN rm /etc/rhsm-host && subscription-manager register --username ${USERNAME} --password ${PASSWORD} \ +# subscription-manager runs inside the UBI container (host OS does not need to be RHEL). Remove rhsm-host so it does not try to use host entitlements. +# Uses BuildKit secrets (--secret id=rhsm_username,src=... --secret id=rhsm_password,src=...) - credentials never stored in image +RUN --mount=type=secret,id=rhsm_username \ + --mount=type=secret,id=rhsm_password \ + sh -c 'rm /etc/rhsm-host && subscription-manager register --username "$(cat /run/secrets/rhsm_username)" --password "$(cat /run/secrets/rhsm_password)" \ && yum repolist \ && subscription-manager attach --auto \ && subscription-manager repos --enable rhel-9-for-x86_64-appstream-rpms \ - && yum repolist + && yum repolist' # Let Kairos install packages first (provides network config, luet packages, etc.) RUN --mount=type=bind,from=kairos-init,src=/kairos-init,dst=/kairos-init \ diff --git a/rhel-stig/Dockerfile.rhel9-fips b/rhel-stig/Dockerfile.rhel9-fips index 79907ca8..058634b0 100644 --- a/rhel-stig/Dockerfile.rhel9-fips +++ b/rhel-stig/Dockerfile.rhel9-fips @@ -1,20 +1,21 @@ FROM quay.io/kairos/kairos-init:v0.5.28 AS kairos-init FROM registry.access.redhat.com/ubi9-init:9.4-6 -ARG USERNAME -ARG PASSWORD ARG KAIROS_VERSION=v3.5.9 # Don't get asked while running apt commands ENV DEBIAN_FRONTEND=noninteractive RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y -# Subscription manager in redhat does not run directly in containers unless you run on a redhat host, hence we remove the rhsm-host, login to the redhat subscription and add the repos -RUN rm /etc/rhsm-host && subscription-manager register --username ${USERNAME} --password ${PASSWORD} \ +# subscription-manager runs inside the UBI container (host OS does not need to be RHEL). Remove rhsm-host so it does not try to use host entitlements. +# Uses BuildKit secrets (--secret id=rhsm_username,src=... --secret id=rhsm_password,src=...) - credentials never stored in image +RUN --mount=type=secret,id=rhsm_username \ + --mount=type=secret,id=rhsm_password \ + sh -c 'rm /etc/rhsm-host && subscription-manager register --username "$(cat /run/secrets/rhsm_username)" --password "$(cat /run/secrets/rhsm_password)" \ && yum repolist \ && subscription-manager attach --auto \ && subscription-manager repos --enable rhel-9-for-x86_64-appstream-rpms \ - && yum repolist + && yum repolist' RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf COPY overlay/rhel9/ / diff --git a/rhel-stig/README.md b/rhel-stig/README.md index c550be2e..a47f7af9 100644 --- a/rhel-stig/README.md +++ b/rhel-stig/README.md @@ -11,9 +11,11 @@ RHEL 9 STIG (Security Technical Implementation Guide) compliance is required for ### Prerequisites - Red Hat subscription credentials (username and password) -- Docker installed and running +- Docker installed and running (BuildKit enabled; the build script sets `DOCKER_BUILDKIT=1`) - Access to Red Hat repositories (RHEL 9 packages required) +**Building on non-RHEL hosts (Ubuntu, etc.):** subscription-manager runs inside the UBI container, so the host OS does not need to be RHEL. The build works on any Docker host. + ### Building Non-FIPS STIG Image ```bash @@ -36,7 +38,7 @@ Example: bash build.sh.rhel9 myuser@example.com mypassword rhel9-byoi-stig-fips true ``` -**Note**: Red Hat subscription credentials are required to build these images as RHEL 9 STIG packages are only available through Red Hat repositories. +**Note**: Red Hat subscription credentials are required to build these images as RHEL 9 STIG packages are only available through Red Hat repositories. Credentials are passed via Docker BuildKit secrets (not build args) and are never stored in image layers. Requires Docker BuildKit (default in Docker 23+; set `DOCKER_BUILDKIT=1` for older versions). ## Using the Base Image diff --git a/rhel-stig/build.sh.rhel9 b/rhel-stig/build.sh.rhel9 index 81a4f16d..eddeff84 100755 --- a/rhel-stig/build.sh.rhel9 +++ b/rhel-stig/build.sh.rhel9 @@ -1,14 +1,28 @@ #!/bin/bash +# Run from rhel-stig/ so static/ and stig-remediate.sh are in build context +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$SCRIPT_DIR" + USERNAME=$1 PASSWORD=$2 BASE_IMAGE="${3:-rhel9-byoi-stig}" FIPS_ENABLED="${4:-false}" +# BuildKit required for --secret (credentials never stored in image layers) +export DOCKER_BUILDKIT=1 + +# Use BuildKit secrets - credentials passed via temp files, never in image layers or build args +tmpdir=$(mktemp -d) +trap "rm -rf $tmpdir" EXIT +echo -n "$USERNAME" > "$tmpdir/rhsm_username" +echo -n "$PASSWORD" > "$tmpdir/rhsm_password" +chmod 600 "$tmpdir"/* + if [ "$FIPS_ENABLED" = "true" ]; then echo "Building RHEL 9 STIG FIPS image..." - docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" -f Dockerfile.rhel9-fips . + docker build --secret id=rhsm_username,src="$tmpdir/rhsm_username" --secret id=rhsm_password,src="$tmpdir/rhsm_password" -t "$BASE_IMAGE" -f Dockerfile.rhel9-fips . else echo "Building RHEL 9 STIG image..." - docker build --build-arg USERNAME="$USERNAME" --build-arg PASSWORD="$PASSWORD" -t "$BASE_IMAGE" -f Dockerfile.rhel9 . + docker build --secret id=rhsm_username,src="$tmpdir/rhsm_username" --secret id=rhsm_password,src="$tmpdir/rhsm_password" -t "$BASE_IMAGE" -f Dockerfile.rhel9 . fi