Closed gaktive closed 1 year ago
Upon chatting with @catherineluse, and referring to https://docs.ranchermanager.rancher.io/reference-guides/rancher-security/rancher-v2.6-hardening-guides/rke2-hardening-guide-with-cis-v1.6-benchmark, the steps to reproduce this follow the RKE2 Custom Template file to generate this.
It sounds like this may be an issue whereby the actual questions.yaml file in the RKE2 repo needs to be updated.
I was mistaken - this issue is about custom clusters, not cluster templates.
In the create/edit form for RKE2 custom clusters, when the user selects any Worker CIS Profile in the dropdown menu, the value "protect kernel defaults" is now set to true
in the cluster YAML.
If the user selects "None" for the Worker CIS Profile, the "protect kernel defaults" should still be false
in the cluster YAML.
This only affects custom RKE2 clusters.
spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"]
is false
spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"]
is true
spec.rkeConfig.machineSelectorConfig[0].config["protect-kernel-defaults"]
is false
With Docker on a single-node instance:
Verified on rancher v2.7-830fa58ccecfb8915fc54862a9b19fdfeb2c0f8c-head
:
Scenario | Test Case | Result |
---|---|---|
1. | Default behavior for clusters w/o CIS profile selected expected to set "protect-kernel-defaults" to FALSE |
✅ |
2. | Selecting a CIS profile sets "protect-kernel-defaults" to TRUE |
✅ |
3. | Setting the CIS profile to "None" sets "protect-kernel-defaults" to FALSE |
✅ |
Scenario 1:
v2.7-head
false
false
Scenario 2:
v2.7-head
true
true
Scenario 3:
v2.7-head
None
for CIS Profilefalse
false
Internal reference: SURE-4172 Reported in 2.6.5 & 2.6.7
Issue description: When we use rke2 custom deployment from rancher 2.6.7 with CIS Profile cis-1.6, the protect-kernel-defaults is set to false.
In the UI under Cluster Create, there's a checkbox for
protect-kernel-defaults
. We should have this checked if a CIS Profile was selectedRepro steps: