diff --git a/pkg/cli/cmds/profile_linux.go b/pkg/cli/cmds/profile_linux.go index 39780be434..67a09e572b 100644 --- a/pkg/cli/cmds/profile_linux.go +++ b/pkg/cli/cmds/profile_linux.go @@ -105,7 +105,7 @@ func setCISFlags(clx *cli.Context) error { func validateProfile(clx *cli.Context, role CLIRole) { switch clx.String("profile") { - case rke2.CISProfile123: + case rke2.CISProfile123, rke2.CISProfile: if err := validateCISReqs(role); err != nil { logrus.Fatal(err) } diff --git a/pkg/cli/cmds/root.go b/pkg/cli/cmds/root.go index 6a4fd2fb86..b7e8f519aa 100644 --- a/pkg/cli/cmds/root.go +++ b/pkg/cli/cmds/root.go @@ -84,7 +84,7 @@ var ( }, &cli.StringFlag{ Name: "profile", - Usage: "(security) Validate system configuration against the selected benchmark (valid items: " + rke2.CISProfile123 + " )", + Usage: "(security) Validate system configuration against the selected benchmark (valid items: cis, cis-1.23 (deprecated))", EnvVar: "RKE2_CIS_PROFILE", }, &cli.StringFlag{ diff --git a/pkg/rke2/rke2.go b/pkg/rke2/rke2.go index 4ebf1cb3a8..a78ed3e589 100644 --- a/pkg/rke2/rke2.go +++ b/pkg/rke2/rke2.go @@ -65,6 +65,7 @@ type ExtraEnv struct { // Valid CIS Profile versions const ( CISProfile123 = "cis-1.23" + CISProfile = "cis" defaultAuditPolicyFile = "/etc/rancher/rke2/audit-policy.yaml" containerdSock = "/run/k3s/containerd/containerd.sock" KubeAPIServer = "kube-apiserver" @@ -275,7 +276,10 @@ func removeDisabledPods(dataDir, containerRuntimeEndpoint string, disabledItems func isCISMode(clx *cli.Context) bool { profile := clx.String("profile") - return profile == CISProfile123 + if profile == CISProfile123 { + logrus.Warn("cis-1.23 profile is deprecated and will be removed in v1.29. Please use cis instead.") + } + return profile == CISProfile123 || profile == CISProfile } // TODO: move this into the podexecutor package, this logic is specific to that executor and should be there instead of here.