### Added - added option `rke2_cis_hardening` (default false) to install RKE2 security options for CIS Benchmark compliance - add etcd user/group - configure kernel params for CIS benchmark - add option for RKE2 CIS profile if `rke2_cis_hardening` enabled - added option to define pod security admission (PSA) template ### Changed - define machine labels as map(string), not array of key=value strings