From 5a81fdbdc5d02527c886af9a31324a73573d1909 Mon Sep 17 00:00:00 2001
From: Brian Downs <brian.downs@gmail.com>
Date: Mon, 20 Jul 2020 16:31:56 -0700
Subject: [PATCH] update cis flag implementation to propogate the rest of the
 way through to kubelet

Signed-off-by: Brian Downs <brian.downs@gmail.com>
---
 pkg/agent/config/config.go  | 1 +
 pkg/cli/agent/agent.go      | 1 -
 pkg/cli/cmds/server.go      | 1 +
 pkg/daemons/agent/agent.go  | 4 ++++
 pkg/daemons/config/types.go | 1 +
 5 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go
index 3c953b584e..4a81f157df 100644
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -485,6 +485,7 @@ func get(envInfo *cmds.Agent, proxy proxy.Proxy) (*config.Node, error) {
 	nodeConfig.AgentConfig.Rootless = envInfo.Rootless
 	nodeConfig.AgentConfig.PodManifests = filepath.Join(envInfo.DataDir, DefaultPodManifestPath)
 	nodeConfig.DisableSELinux = envInfo.DisableSELinux
+	nodeConfig.AgentConfig.ProtectKernelDefaults = envInfo.ProtectKernelDefaults
 
 	return nodeConfig, nil
 }
diff --git a/pkg/cli/agent/agent.go b/pkg/cli/agent/agent.go
index 8e7e6de09d..a4520ac5dd 100644
--- a/pkg/cli/agent/agent.go
+++ b/pkg/cli/agent/agent.go
@@ -56,7 +56,6 @@ func Run(ctx *cli.Context) error {
 	cfg := cmds.AgentConfig
 	cfg.Debug = ctx.Bool("debug")
 	cfg.DataDir = dataDir
-	cfg.ProtectKernelDefaults = true
 
 	contextCtx := signals.SetupSignalHandler(context.Background())
 
diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go
index 97a8fcb803..688ce8abb5 100644
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@@ -247,6 +247,7 @@ func NewServerCommand(action func(*cli.Context) error) *cli.Command {
 			&FlannelConfFlag,
 			&ExtraKubeletArgs,
 			&ExtraKubeProxyArgs,
+			&ProtectKernelDefaultsFlag,
 			&cli.BoolFlag{
 				Name:        "rootless",
 				Usage:       "(experimental) Run rootless",
diff --git a/pkg/daemons/agent/agent.go b/pkg/daemons/agent/agent.go
index 143e3d2c8c..1c0797fdf9 100644
--- a/pkg/daemons/agent/agent.go
+++ b/pkg/daemons/agent/agent.go
@@ -155,6 +155,10 @@ func startKubelet(cfg *config.Agent) error {
 		argsMap["enforce-node-allocatable"] = ""
 	}
 
+	if cfg.ProtectKernelDefaults {
+		argsMap["protect-kernel-defaults"] = "true"
+	}
+
 	args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)
 	logrus.Infof("Running kubelet %s", config.ArgString(args))
 
diff --git a/pkg/daemons/config/types.go b/pkg/daemons/config/types.go
index ff259265ba..9511573a13 100644
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@@ -83,6 +83,7 @@ type Agent struct {
 	DisableNPC              bool
 	DisableKubeProxy        bool
 	Rootless                bool
+	ProtectKernelDefaults   bool
 }
 
 type Control struct {