[Release-1.30] - CIS enabled cluster does not set default-network policies to traefik when ingress-controller: traefik

[brandond]

Backport fix for CIS enabled cluster does not set default-network policies to traefik when ingress-controller: traefik

• CIS enabled cluster does not set default-network policies to traefik when ingress-controller: traefik  #6449

[ShylajaDevadiga]

Validated using v1.30.4-rc3+rke2r1

Validated default ingressclass is set as traefik
Also validated on rancher setup

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:

$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="9.3 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.3 (Plow)"

Cluster Configuration:
3 server 1 agent

Config.yaml:

cat /etc/rancher/rke2/config,yaml
write-kubeconfig-mode: "0644"
profile: cis
selinux: true
ingress-controller: traefik
od-security-admission-config-file: /etc/rancher/rke2/custom-psa.yaml

Steps to reproduce the issue and validate the fix

1. Copy config.yaml
2. Install rke2

Validation results:

[ec2-user@ip-172-31-13-181 ~]$ rke2 -v
rke2 version v1.30.4-rc3+rke2r1 (9517eea519b780e154dd791c555c698e84a0e5cd)


[ec2-user@ip-172-31-13-181 ~]$ kubectl get ingressclass -o 'custom-columns=NAME:.metadata.name,CONTROLLER:.spec.controller,DEFAULT:.metadata.annotations.ingressclass\.kubernetes\.io/is-default-class'
NAME      CONTROLLER                      DEFAULT
traefik   traefik.io/ingress-controller   true


[ec2-user@ip-172-31-13-181 ~]$ kubectl get networkpolicy -A | grep traefik
kube-system                       default-network-traefik-policy                       app.kubernetes.io/name=rke2-traefik                       122m