feat: Explicitly disable profiling for CP components

jimmidyson · jimmidyson · commit 389fd1796cb1 · 2025-04-24T16:25:02.000+01:00
As per CIS benchmarks.
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
@@ -85,9 +85,14 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
@@ -80,7 +80,16 @@ spec:
   template:
     spec:
       kubeadmConfigSpec:
-        clusterConfiguration: {}
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration: {}
         joinConfiguration:
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
@@ -124,13 +124,16 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           scheduler:
             extraArgs:
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
         files:
         - content: |-
diff --git a/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
@@ -60,7 +60,13 @@ patches:
         path: "/spec/template/spec/instanceType"
         value: "PLACEHOLDER"
   - target:
-        kind: AWSMachineTemplate
+      kind: AWSMachineTemplate
     patch: |-
       - op: "remove"
         path: "/spec/template/spec/iamInstanceProfile"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "dockerworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "dockerworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "nutanixworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "nutanixworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml b/hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml
@@ -0,0 +1,21 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlaneTemplate
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
