From 5eb307400099a4813baafbb97b5f19c243842a92 Mon Sep 17 00:00:00 2001
From: Ashley Dumaine <ashley.dumaine@gmail.com>
Date: Thu, 18 Apr 2024 15:54:07 -0400
Subject: [PATCH] enable cis-profile and protect-kernel-defaults

---
 docs/src/topics/flavors/rke2.md                | 10 ++++++++++
 templates/flavors/rke2/rke2ConfigTemplate.yaml |  2 ++
 templates/flavors/rke2/rke2ControlPlane.yaml   |  2 ++
 3 files changed, 14 insertions(+)

diff --git a/docs/src/topics/flavors/rke2.md b/docs/src/topics/flavors/rke2.md
index 1312fdcf3..ec7a4fcb0 100644
--- a/docs/src/topics/flavors/rke2.md
+++ b/docs/src/topics/flavors/rke2.md
@@ -1,4 +1,14 @@
 # RKE2
+
+This flavor uses RKE2 for the kubernetes distribution. By default it configures the cluster
+with the [CIS profile](https://docs.rke2.io/security/hardening_guide#rke2-configuration):
+> Using the generic cis profile will ensure that the cluster passes the CIS benchmark (rke2-cis-1.XX-profile-hardened) associated with the Kubernetes version that RKE2 is running. For example, RKE2 v1.28.XX with the profile: cis will pass the rke2-cis-1.7-profile-hardened in Rancher.
+
+```admonish warning
+Until [this upstream PR](https://github.com/rancher-sandbox/cluster-api-provider-rke2/pull/301) is merged, CIS profile enabling
+will not work for RKE2 versions >= v1.29.
+```
+
 ## Specification
 | Control Plane                 | CNI    | Default OS   | Installs ClusterClass | IPv4 | IPv6 |
 |-------------------------------|--------|--------------|-----------------------|------|------|
diff --git a/templates/flavors/rke2/rke2ConfigTemplate.yaml b/templates/flavors/rke2/rke2ConfigTemplate.yaml
index c610c5bc6..3c459fd90 100644
--- a/templates/flavors/rke2/rke2ConfigTemplate.yaml
+++ b/templates/flavors/rke2/rke2ConfigTemplate.yaml
@@ -9,6 +9,8 @@ spec:
       agentConfig:
         version: ${KUBERNETES_VERSION}
         nodeName: '{{ ds.meta_data.label }}'
+        cisProfile: ${CIS_PROFILE:-"cis-1.23"}
+        protectKernelDefaults: true
       # TODO: use MDS to get public and private IP instead because hostname ordering can't always be assumed
       preRKE2Commands:
         - |
diff --git a/templates/flavors/rke2/rke2ControlPlane.yaml b/templates/flavors/rke2/rke2ControlPlane.yaml
index 6f9dfc1bb..6aa6261ef 100644
--- a/templates/flavors/rke2/rke2ControlPlane.yaml
+++ b/templates/flavors/rke2/rke2ControlPlane.yaml
@@ -33,6 +33,8 @@ spec:
   agentConfig:
     version: ${KUBERNETES_VERSION}
     nodeName: '{{ ds.meta_data.label }}'
+    cisProfile: ${CIS_PROFILE:-"cis-1.23"}
+    protectKernelDefaults: true
   preRKE2Commands:
     - |
       mkdir -p /etc/rancher/rke2/config.yaml.d/