Skip to content

Commit

Permalink
enable cis-profile and protect-kernel-defaults (#263)
Browse files Browse the repository at this point in the history
  • Loading branch information
AshleyDumaine authored Apr 24, 2024
1 parent c61ab94 commit 4f4d345
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 0 deletions.
10 changes: 10 additions & 0 deletions docs/src/topics/flavors/rke2.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
# RKE2

This flavor uses RKE2 for the kubernetes distribution. By default it configures the cluster
with the [CIS profile](https://docs.rke2.io/security/hardening_guide#rke2-configuration):
> Using the generic cis profile will ensure that the cluster passes the CIS benchmark (rke2-cis-1.XX-profile-hardened) associated with the Kubernetes version that RKE2 is running. For example, RKE2 v1.28.XX with the profile: cis will pass the rke2-cis-1.7-profile-hardened in Rancher.
```admonish warning
Until [this upstream PR](https://github.com/rancher-sandbox/cluster-api-provider-rke2/pull/301) is merged, CIS profile enabling
will not work for RKE2 versions >= v1.29.
```

## Specification
| Control Plane | CNI | Default OS | Installs ClusterClass | IPv4 | IPv6 |
|-------------------------------|--------|--------------|-----------------------|------|------|
Expand Down
2 changes: 2 additions & 0 deletions templates/flavors/rke2/rke2ConfigTemplate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ spec:
agentConfig:
version: ${KUBERNETES_VERSION}
nodeName: '{{ ds.meta_data.label }}'
cisProfile: ${CIS_PROFILE:-"cis-1.23"}
protectKernelDefaults: true
# TODO: use MDS to get public and private IP instead because hostname ordering can't always be assumed
preRKE2Commands:
- |
Expand Down
2 changes: 2 additions & 0 deletions templates/flavors/rke2/rke2ControlPlane.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ spec:
agentConfig:
version: ${KUBERNETES_VERSION}
nodeName: '{{ ds.meta_data.label }}'
cisProfile: ${CIS_PROFILE:-"cis-1.23"}
protectKernelDefaults: true
preRKE2Commands:
- |
mkdir -p /etc/rancher/rke2/config.yaml.d/
Expand Down

0 comments on commit 4f4d345

Please sign in to comment.