[improvement] toggle cis hardening for rke2 clusters

[AshleyDumaine]

What this PR does / why we need it: RKE2 clusters have CIS hardening hard-coded to on. This makes that configurable and defaults it to off, mainly because templating the CIS_PROFILE is finicky. Trying to set the value to an empty string gets interpreted as unset which causes the empty value to be overwritten to enabled on the clusterctl generate.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

TODOs:

• squashed commits
• includes documentation
• adds unit tests
• adds or updates e2e tests

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.01%. Comparing base (c6337fb) to head (e8284be).
Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #696   +/-   ##
=======================================
  Coverage   64.01%   64.01%           
=======================================
  Files          70       70           
  Lines        6367     6367           
=======================================
  Hits         4076     4076           
  Misses       2019     2019           
  Partials      272      272           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.