Trust Center Installation with DISA STIGs¶
Overview¶
Virtual machines and physical servers are commonly deployed with a set of security policies/configurations applied, based on the US DoD's Security Technical Implementation Guides (STIGs). This environment enforces additional security controls, such as file access policies.
To install the Trust Center on machines with this extra security configuration, follow the additional steps to allow the Trust Center installer and runtime components to function.
Installation Steps¶
After configuring a Linux server or VM with the DISA STIGs, follow these steps to install the Trust Center:
-
Edit
/etc/yum.confand disable the local package GPG signature check requirement:localpkg_gpgcheck=0 -
Create a file
/etc/fapolicyd/rules.d/80-allow-k3s.ruleswith the following contents, to allow the Trust Center installed components to access files on disk:Run the following command to re-generate the compiled rules:allow perm=any all : dir=/var/lib/rancher/ allow perm=any all : dir=/opt/cni/ allow perm=any all : dir=/run/k3s/ allow perm=any all : dir=/var/lib/kubelet/sudo fagenrules -
Download the Trust Center installer or copy over the prepared Darksite bundle (if running in an offline environment).
- From the directory the Trust Center installer (trust-center-ctl) is downloaded/extracted, run the following commands to authorize the installer to run:
sudo fapolicyd-cli --file add ./trust-center-ctl sudo fapolicyd-cli --update - Run the Trust Center installation as usual. If you encounter any errors regarding the
helmbinary, run the following commands to authorize it:Re-run the Trust Center installation command (don't uninstall, just re-run the exact command used to install).sudo fapolicyd-cli --file add /usr/local/bin/helm sudo fapolicyd-cli --update
Note: Future Updates
This configuration is automatically added/updated on Trust Center install/upgrade in versions 25.03 and newer, but for version 24.10 must be added manually before running the installation.