From 584d563142a38f2fe2d33f4b109b81c970e46c68 Mon Sep 17 00:00:00 2001
From: Jimmi Dyson <jimmidyson@gmail.com>
Date: Thu, 24 Apr 2025 14:32:32 +0100
Subject: [PATCH] feat: Explicitly disable profiling for CP components

As per CIS benchmarks.
---
 .../aws-cluster-class.yaml                    |  5 +++++
 .../docker-cluster-class.yaml                 | 11 +++++++++-
 .../nutanix-cluster-class.yaml                |  3 +++
 .../aws/kustomization.yaml.tmpl               |  8 ++++++-
 .../docker/kustomization.yaml.tmpl            |  6 ++++++
 .../nutanix/kustomization.yaml.tmpl           |  6 ++++++
 ...disable-kubeadmcontrolplane-profiling.yaml | 21 +++++++++++++++++++
 7 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100644 hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml

diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
index 67be5feba..4c5e5b850 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/aws-cluster-class.yaml
@@ -85,9 +85,14 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration:
             kubeletExtraArgs:
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
index bf1f03179..d924b1017 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/docker-cluster-class.yaml
@@ -80,7 +80,16 @@ spec:
   template:
     spec:
       kubeadmConfigSpec:
-        clusterConfiguration: {}
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"
         initConfiguration:
           nodeRegistration: {}
         joinConfiguration:
diff --git a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
index 6a14ffc58..e81b4e74c 100644
--- a/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
+++ b/charts/cluster-api-runtime-extensions-nutanix/defaultclusterclasses/nutanix-cluster-class.yaml
@@ -124,13 +124,16 @@ spec:
           apiServer:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           controllerManager:
             extraArgs:
               cloud-provider: external
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
           scheduler:
             extraArgs:
+              profiling: "false"
               tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
         files:
         - content: |-
diff --git a/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
index 43e778111..682bc2c53 100644
--- a/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/aws/kustomization.yaml.tmpl
@@ -60,7 +60,13 @@ patches:
         path: "/spec/template/spec/instanceType"
         value: "PLACEHOLDER"
   - target:
-        kind: AWSMachineTemplate
+      kind: AWSMachineTemplate
     patch: |-
       - op: "remove"
         path: "/spec/template/spec/iamInstanceProfile"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
index e1f39f1e0..d2706f020 100644
--- a/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/docker/kustomization.yaml.tmpl
@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "dockerworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "dockerworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl b/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
index e0da6044d..90c13c876 100644
--- a/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
+++ b/hack/examples/overlays/clusterclasses/nutanix/kustomization.yaml.tmpl
@@ -25,3 +25,9 @@ patches:
             external:
               generateExtension: "nutanixworkerv3configpatch-gp.cluster-api-runtime-extensions-nutanix"
               discoverVariablesExtension: "nutanixworkerconfigvars-dv.cluster-api-runtime-extensions-nutanix"
+
+  # BEGIN CIS patches
+  - target:
+      kind: KubeadmControlPlaneTemplate
+    path: ../../../patches/disable-kubeadmcontrolplane-profiling.yaml
+  # END CIS patches
diff --git a/hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml b/hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml
new file mode 100644
index 000000000..e86828dc8
--- /dev/null
+++ b/hack/examples/patches/disable-kubeadmcontrolplane-profiling.yaml
@@ -0,0 +1,21 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+kind: KubeadmControlPlaneTemplate
+metadata:
+  name: not-used
+spec:
+  template:
+    spec:
+      kubeadmConfigSpec:
+        clusterConfiguration:
+          apiServer:
+            extraArgs:
+              profiling: "false"
+          controllerManager:
+            extraArgs:
+              profiling: "false"
+          scheduler:
+            extraArgs:
+              profiling: "false"