From ab18b5d7fc30b73f967db1bb8fbdcef6a27cea06 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Wed, 6 Sep 2023 09:27:20 -0700
Subject: [PATCH 1/2] Support generic "cis" profile (#4708)

* Support generic "cis" profile

Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
---
 pkg/cli/cmds/profile_linux.go | 2 +-
 pkg/cli/cmds/root.go          | 4 ++--
 pkg/rke2/rke2.go              | 6 +++++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/pkg/cli/cmds/profile_linux.go b/pkg/cli/cmds/profile_linux.go
index 39780be434..67a09e572b 100644
--- a/pkg/cli/cmds/profile_linux.go
+++ b/pkg/cli/cmds/profile_linux.go
@@ -105,7 +105,7 @@ func setCISFlags(clx *cli.Context) error {
 
 func validateProfile(clx *cli.Context, role CLIRole) {
 	switch clx.String("profile") {
-	case rke2.CISProfile123:
+	case rke2.CISProfile123, rke2.CISProfile:
 		if err := validateCISReqs(role); err != nil {
 			logrus.Fatal(err)
 		}
diff --git a/pkg/cli/cmds/root.go b/pkg/cli/cmds/root.go
index 6a4fd2fb86..bef07c1767 100644
--- a/pkg/cli/cmds/root.go
+++ b/pkg/cli/cmds/root.go
@@ -83,8 +83,8 @@ var (
 			Destination: &config.CloudProviderConfig,
 		},
 		&cli.StringFlag{
-			Name:   "profile",
-			Usage:  "(security) Validate system configuration against the selected benchmark (valid items: " + rke2.CISProfile123 + " )",
+			Name: "profile",
+			Usage: "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))",
 			EnvVar: "RKE2_CIS_PROFILE",
 		},
 		&cli.StringFlag{
diff --git a/pkg/rke2/rke2.go b/pkg/rke2/rke2.go
index 23c44e3a3e..ef38e92c9e 100644
--- a/pkg/rke2/rke2.go
+++ b/pkg/rke2/rke2.go
@@ -64,6 +64,7 @@ type ExtraEnv struct {
 // Valid CIS Profile versions
 const (
 	CISProfile123          = "cis-1.23"
+	CISProfile             = "cis"
 	defaultAuditPolicyFile = "/etc/rancher/rke2/audit-policy.yaml"
 	containerdSock         = "/run/k3s/containerd/containerd.sock"
 	KubeAPIServer          = "kube-apiserver"
@@ -269,7 +270,10 @@ func removeDisabledPods(dataDir, containerRuntimeEndpoint string, disabledItems
 
 func isCISMode(clx *cli.Context) bool {
 	profile := clx.String("profile")
-	return profile == CISProfile123
+	if profile == CISProfile123 {
+		logrus.Warn("cis-1.23 profile is deprecated and will be removed in v1.29. Please use cis instead.")
+	}
+	return profile == CISProfile123 || profile == CISProfile
 }
 
 // TODO: move this into the podexecutor package, this logic is specific to that executor and should be there instead of here.

From 2decf60c7149bd3fdffd21f2a31ac5917d03be48 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Mon, 25 Sep 2023 10:22:28 -0700
Subject: [PATCH 2/2] gofmt

Signed-off-by: Derek Nola <derek.nola@suse.com>
---
 pkg/cli/cmds/root.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cli/cmds/root.go b/pkg/cli/cmds/root.go
index bef07c1767..b7e8f519aa 100644
--- a/pkg/cli/cmds/root.go
+++ b/pkg/cli/cmds/root.go
@@ -83,8 +83,8 @@ var (
 			Destination: &config.CloudProviderConfig,
 		},
 		&cli.StringFlag{
-			Name: "profile",
-			Usage: "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))",
+			Name:   "profile",
+			Usage:  "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))",
 			EnvVar: "RKE2_CIS_PROFILE",
 		},
 		&cli.StringFlag{