Skip to content

Commit

Permalink
enable cis-profile
Browse files Browse the repository at this point in the history
  • Loading branch information
AshleyDumaine committed Apr 18, 2024
1 parent e9dc9fa commit e3407ac
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
12 changes: 11 additions & 1 deletion docs/src/topics/flavors/rke2.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
# RKE2

This flavor uses RKE2 for the kubernetes distribution. By default it configures the cluster
with the [CIS profile](https://docs.rke2.io/security/hardening_guide#rke2-configuration):
> Using the generic cis profile will ensure that the cluster passes the CIS benchmark (rke2-cis-1.XX-profile-hardened) associated with the Kubernetes version that RKE2 is running. For example, RKE2 v1.28.XX with the profile: cis will pass the rke2-cis-1.7-profile-hardened in Rancher.
```admonish warning
Until [this upstream PR](https://github.com/rancher-sandbox/cluster-api-provider-rke2/pull/301) is merged, CIS profile enabling
will not work for RKE2 versions >= v1.29.
```

## Specification
| Control Plane | CNI | Default OS | Installs ClusterClass | IPv4 | IPv6 |
|-------------------------------|--------|--------------|-----------------------|------|------|
Expand All @@ -7,7 +17,7 @@
* [Quickstart](../getting-started.md) completed
* Select an [rke2 kubernetes version](https://github.com/rancher/rke2/releases) to set for the kubernetes version
```bash
export KUBERNETES_VERSION=v1.29.1+rke2r1
export KUBERNETES_VERSION=v1.28.8+rke2r1
```
* Installed [rke2 bootstrap provider](https://github.com/rancher-sandbox/cluster-api-provider-rke2) into your management cluster
```shell
Expand Down
1 change: 1 addition & 0 deletions templates/flavors/rke2/rke2ConfigTemplate.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ spec:
agentConfig:
version: ${KUBERNETES_VERSION}
nodeName: '{{ ds.meta_data.label }}'
cisProfile: ${CIS_PROFILE:-"cis-1.23"}
# TODO: use MDS to get public and private IP instead because hostname ordering can't always be assumed
preRKE2Commands:
- |
Expand Down
1 change: 1 addition & 0 deletions templates/flavors/rke2/rke2ControlPlane.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ spec:
agentConfig:
version: ${KUBERNETES_VERSION}
nodeName: '{{ ds.meta_data.label }}'
cisProfile: ${CIS_PROFILE:-"cis-1.23"}
preRKE2Commands:
- |
mkdir -p /etc/rancher/rke2/config.yaml.d/
Expand Down

0 comments on commit e3407ac

Please sign in to comment.