RKE2 CIS Benchmark | Incorrect FAIL results for etcd and kubelet checks on RKE2 and control-plane-only nodes

[mjshastha]

Certain CIS benchmark checks are incorrectly marked as FAIL in RKE2 and control-plane-only environments.

Details:

The etcd-related checks (1.1.7, 1.1.8, 1.1.11) are being executed on control-plane-only nodes, where the etcd data directory does not exist. These tests are incorrectly marked as FAIL, but this scenario should be considered Not Applicable (NA).

The kubelet-related checks (4.1.9, 4.1.10) are failing because, in RKE2, the kubelet process is managed by the RKE2 agent itself. The scan attempts to locate a kubelet configuration file on the host, which is not present in RKE2 setups. As per RKE2 documentation, these tests should also be treated as NA instead of FAIL.

Expected Behavior:

The above checks should be marked as Not Applicable (NA) when:
etcd is not running locally on the node.
kubelet is managed by RKE2 and no standalone kubelet config file exists.

References:
https://docs.rke2.io/security/cis_self_assessment19#4110-if-the-kubelet-configyaml-configuration-file-is-being-used-validate-file-ownership-is-set-to-root-automated

aqua-cis-scans (3).xls