enable cis-profile

Author: AshleyDumaine

docs/src/topics/flavors/rke2.md

@@ -1,4 +1,14 @@
 # RKE2
+
+This flavor uses RKE2 for the kubernetes distribution. By default it configures the cluster
+with the [CIS profile](https://docs.rke2.io/security/hardening_guide#rke2-configuration):
+> Using the generic cis profile will ensure that the cluster passes the CIS benchmark (rke2-cis-1.XX-profile-hardened) associated with the Kubernetes version that RKE2 is running. For example, RKE2 v1.28.XX with the profile: cis will pass the rke2-cis-1.7-profile-hardened in Rancher.
+
+```admonish warning
+Until [this upstream PR](https://github.com/rancher-sandbox/cluster-api-provider-rke2/pull/301) is merged, CIS profile enabling
+will not work for RKE2 versions >= v1.29.
+```
+
 ## Specification
 | Control Plane                 | CNI    | Default OS   | Installs ClusterClass | IPv4 | IPv6 |
 |-------------------------------|--------|--------------|-----------------------|------|------|

templates/flavors/rke2/rke2ConfigTemplate.yaml

@@ -9,6 +9,7 @@ spec:
       agentConfig:
         version: ${KUBERNETES_VERSION}
         nodeName: '{{ ds.meta_data.label }}'
+        cisProfile: ${CIS_PROFILE:-"cis-1.23"}
       # TODO: use MDS to get public and private IP instead because hostname ordering can't always be assumed
       preRKE2Commands:
         - |

templates/flavors/rke2/rke2ControlPlane.yaml

@@ -33,6 +33,7 @@ spec:
   agentConfig:
     version: ${KUBERNETES_VERSION}
     nodeName: '{{ ds.meta_data.label }}'
+    cisProfile: ${CIS_PROFILE:-"cis-1.23"}
   preRKE2Commands:
     - |
       mkdir -p /etc/rancher/rke2/config.yaml.d/