hardening configurations improvement

[bovy89]

Related to #3612

If I'm not wrong, right now a config like profile: CIS-XX enable "CIS mode", provisioning several rke2 hardening configurations (network policy, psp/pss, etcd hardening, etc.). It would be useful to give more control about those configurations without the need of CIS mode. A simple use case could be "enabled etcd hardening without enabling default network policies, enforcing psp etc".

Example:

--[no-]enable-network-policies
--[no-]enable-etcd-hardening
--[no-]enable-psp-pss

• if you specify profile: CIS-XX, those options will be enabled by default:

## CIS with network policies, etcd hardening etc. etc.
profile: CIS-XX

• if you specify profile: CIS-XX, those options will be enabled by default (included in CIS profile), but you can override and disable it:

## CIS profile without network policies
profile: CIS-XX
--no-enable-network-policies

• if you don't want to use profile: CIS-XX you can still use some of those features:

## without CIS profile (non CIS mode) but with etcd hardening enabled
--enable-etcd-hardening

As future improvement, it might be thought to provide the single hardening configurations as feature flag (es: --enable-etcd-hardening) instead of strictly related it to CIS mode?

[rancher-max]

This is currently possibly, although inconvenient. RKE2 is built using k3s, so a lot of the principles from there apply here as well. For that reason, it's possible to do some "manual/limited hardening" with config flags that are described in the k3s docs here. That whole page is relevant, but I linked the args specifically to keep it simple.

So effectively to me this ask would be like incorporating some of those in a "one line flag" instead of having multiple configs; is that a correct assumption?

[bovy89]

In our case, what I wrote is strictly related to network-policies/psp-pss/etcd-hardening (see https://github.com/rancher/rke2/search?q=cisMode). Right now, because we don't want to use build-in network policies (we want to use ours) or psp/pss "restricted" (we use opa GK and custom rules instead) we run rke2 without profile: XXX option.

Run rke2 without profile: XXX is ok because there is a workaround for network-policies/psp-pss (see above), but we are not able to accomplish the follow: "Ensure the etcd process is run as the etcd user and group by setting the etcd static pod's SecurityContext appropriately" (see #3612).

My original proposal was for a general solution, but also an option to allow etcd hardening regardless if profile option is used or not should be enough.