feat: Explicitly disable profiling for CP components

As per CIS benchmarks.

Author: jimmidyson

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml

@@ -85,9 +85,14 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml

@@ -80,7 +80,16 @@ spec:
   template:
     spec:
       kubeadmConfigSpec:
-        clusterConfiguration: {}
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration: {}
         joinConfiguration:

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class-old.yaml

@@ -0,0 +1,89 @@
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: ClusterClass
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: nutanix
+  name: old-nutanix-quick-start
+spec:
+  controlPlane:
+    machineHealthCheck:
+      maxUnhealthy: 40%
+      nodeStartupTimeout: 10m
+      unhealthyConditions:
+      - status: "False"
+        timeout: 300s
+        type: Ready
+      - status: Unknown
+        timeout: 300s
+        type: Ready
+      - status: "True"
+        timeout: 300s
+        type: MemoryPressure
+      - status: "True"
+        timeout: 300s
+        type: DiskPressure
+      - status: "True"
+        timeout: 300s
+        type: PIDPressure
+      - status: "True"
+        timeout: 300s
+        type: NetworkUnavailable
+    machineInfrastructure:
+      ref:
+        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+        kind: NutanixMachineTemplate
+        name: nutanix-quick-start-cp-nmt
+    ref:
+      apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+      kind: KubeadmControlPlaneTemplate
+      name: nutanix-quick-start-kcpt
+  infrastructure:
+    ref:
+      apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+      kind: NutanixClusterTemplate
+      name: nutanix-quick-start-nct
+  patches:
+  - external:
+      discoverVariablesExtension: nutanixclusterconfigvars-dv.cluster-api-runtime-extensions-nutanix
+      generateExtension: nutanixclusterconfigpatch-gp.cluster-api-runtime-extensions-nutanix
+    name: cluster-config
+  - external:
+      discoverVariablesExtension: nutanixworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix
+      generateExtension: nutanixworkerconfigpatch-gp.cluster-api-runtime-extensions-nutanix
+    name: worker-config
+  workers:
+    machineDeployments:
+    - class: default-worker
+      machineHealthCheck:
+        maxUnhealthy: 40%
+        nodeStartupTimeout: 10m
+        unhealthyConditions:
+        - status: "False"
+          timeout: 300s
+          type: Ready
+        - status: Unknown
+          timeout: 300s
+          type: Ready
+        - status: "True"
+          timeout: 300s
+          type: MemoryPressure
+        - status: "True"
+          timeout: 300s
+          type: DiskPressure
+        - status: "True"
+          timeout: 300s
+          type: PIDPressure
+        - status: "True"
+          timeout: 300s
+          type: NetworkUnavailable
+      template:
+        bootstrap:
+          ref:
+            apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
+            kind: KubeadmConfigTemplate
+            name: nutanix-quick-start-kcfg-0
+        infrastructure:
+          ref:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+            kind: NutanixMachineTemplate
+            name: nutanix-quick-start-md-nmt

charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml

@@ -124,13 +124,16 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           scheduler:
             extraArgs:
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
         files:
         - content: |-

hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl

@@ -60,7 +60,13 @@ patches:
         path: "/spec/template/spec/instanceType"
         value: "PLACEHOLDER"
   - target:
-        kind: AWSMachineTemplate
+      kind: AWSMachineTemplate
     patch: |-
       - op: "remove"
         path: "/spec/template/spec/iamInstanceProfile"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches

hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl

@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "dockerworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "dockerworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches

hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl

@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "nutanixworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "nutanixworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches

hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml

@@ -0,0 +1,21 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlaneTemplate
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"