From 5938371b4dea9228ab7f81926be10413e4e12515 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Tue, 26 Sep 2023 09:33:07 -0700 Subject: [PATCH] [Release-1.26] Support generic "cis" profile (#4798) * Support generic "cis" profile Signed-off-by: Derek Nola Co-authored-by: Brad Davidson --- pkg/cli/cmds/profile_linux.go | 2 +- pkg/cli/cmds/root.go | 2 +- pkg/rke2/rke2.go | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/cli/cmds/profile_linux.go b/pkg/cli/cmds/profile_linux.go index 39780be434..67a09e572b 100644 --- a/pkg/cli/cmds/profile_linux.go +++ b/pkg/cli/cmds/profile_linux.go @@ -105,7 +105,7 @@ func setCISFlags(clx *cli.Context) error { func validateProfile(clx *cli.Context, role CLIRole) { switch clx.String("profile") { - case rke2.CISProfile123: + case rke2.CISProfile123, rke2.CISProfile: if err := validateCISReqs(role); err != nil { logrus.Fatal(err) } diff --git a/pkg/cli/cmds/root.go b/pkg/cli/cmds/root.go index 6a4fd2fb86..b7e8f519aa 100644 --- a/pkg/cli/cmds/root.go +++ b/pkg/cli/cmds/root.go @@ -84,7 +84,7 @@ var ( }, &cli.StringFlag{ Name: "profile", - Usage: "(security) Validate system configuration against the selected benchmark (valid items: " + rke2.CISProfile123 + " )", + Usage: "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))", EnvVar: "RKE2_CIS_PROFILE", }, &cli.StringFlag{ diff --git a/pkg/rke2/rke2.go b/pkg/rke2/rke2.go index 23c44e3a3e..ef38e92c9e 100644 --- a/pkg/rke2/rke2.go +++ b/pkg/rke2/rke2.go @@ -64,6 +64,7 @@ type ExtraEnv struct { // Valid CIS Profile versions const ( CISProfile123 = "cis-1.23" + CISProfile = "cis" defaultAuditPolicyFile = "/etc/rancher/rke2/audit-policy.yaml" containerdSock = "/run/k3s/containerd/containerd.sock" KubeAPIServer = "kube-apiserver" @@ -269,7 +270,10 @@ func removeDisabledPods(dataDir, containerRuntimeEndpoint string, disabledItems func isCISMode(clx *cli.Context) bool { profile := clx.String("profile") - return profile == CISProfile123 + if profile == CISProfile123 { + logrus.Warn("cis-1.23 profile is deprecated and will be removed in v1.29. Please use cis instead.") + } + return profile == CISProfile123 || profile == CISProfile } // TODO: move this into the podexecutor package, this logic is specific to that executor and should be there instead of here.