fleet-agent does not start afert apply cisProfile: cis

[jisnardo]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current Behavior

Hi, after apply cisProfile: cis to a deployed rke2 cluster, fleet-agent does not start.

https://docs.rke2.io/security/hardening_guide

Related: https://github.com/rancher/fleet/pull/1875, https://github.com/rancher/fleet/pull/1860

Expected Behavior

NAME            READY   STATUS    RESTARTS      AGE
fleet-agent-0   2/2     Running   1 (25h ago)   25h

Steps To Reproduce

• Deploy a rke2 cluster with turtles and fleet.
• Apply cisProfile: cis to RKE2ControlPlane and RKE2ConfigTemplate.
• kubectl -n fleet-addon-agent describe po fleet-agent-0

Environment

- Architecture: x86_64
- Fleet Version: rancher-turtles-system addon v0.3.1
- Cluster:
  - Provider: infrastructure vsphere v1.10.2
  - Options: addon capi-ipam-in-cluster-system v0.1.0
  - Kubernetes Version: v1.30.4+rke2r1

- rancher turtles v1.11.0
- core cluster-api v1.7.3
- rke2-bootstrap v0.6.1 (upgraded from v0.5.0)
- rke2-control-plane v0.6.1 (upgraded from v0.5.0)

Logs

Events: 
Type Reason Age From Message 
---- ------ ---- ---- ------- 
Warning FailedCreate 10m (x43 over 124m) statefulset-controller create Pod fleet-agent-0 in StatefulSet fleet-agent failed error: pods "fleet-agent-0" is forbidden: violates PodSecurity "restricted:latest": seccompProfile (pod or containers "fleet-agent-register", "fleet-agent", "fleet-agent-clusterstatus" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

### Anything else?

_No response_

Thanks in advance.