From db5040e6eab1f28fac95c1054f0d49e446a0b13e Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Mon, 11 Nov 2019 16:41:41 +0300 Subject: [PATCH] Set certs and files with kubeadm token to mode 0640 (#5325) Change-Id: I298496e55a6889c158b2085fcadeda5e679a873e --- roles/kubernetes/master/tasks/kubeadm-certificate.yml | 1 + roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml | 1 + roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml | 1 + .../kubernetes/master/tasks/kubeadm-secondary-experimental.yml | 1 + roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml | 2 +- roles/kubernetes/master/tasks/kubeadm-version.yml | 1 + 6 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/kubernetes/master/tasks/kubeadm-certificate.yml b/roles/kubernetes/master/tasks/kubeadm-certificate.yml index c3d486b83..03ebe2536 100644 --- a/roles/kubernetes/master/tasks/kubeadm-certificate.yml +++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml @@ -3,6 +3,7 @@ copy: src: "{{ kube_cert_dir }}/{{ item.src }}" dest: "{{ kube_cert_dir }}/{{ item.dest }}" + mode: 0640 remote_src: yes with_items: - {src: apiserver.crt, dest: apiserver.crt.old} diff --git a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml index 4200e6d71..6ebfb179a 100644 --- a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml +++ b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml @@ -26,6 +26,7 @@ copy: src: "{{ kubeconfig_temp_dir.path }}/{{ item }}" dest: "{{ kube_config_dir }}/{{ item }}" + mode: 0640 remote_src: yes when: kubeconfig_correct_apiserver.rc != 0 with_items: diff --git a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml index 043530c4a..cae5749cf 100644 --- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml +++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml @@ -3,6 +3,7 @@ copy: src: "{{ kube_cert_dir }}/{{ item.src }}" dest: "{{ kube_cert_dir }}/{{ item.dest }}" + mode: 0640 remote_src: yes with_items: - {src: apiserver.pem, dest: apiserver.crt} diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml index ccb6ddab6..234cbda87 100644 --- a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml +++ b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml @@ -32,6 +32,7 @@ template: src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2" dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml" + mode: 0640 backup: yes when: - inventory_hostname != groups['kube-master']|first diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml index 6f613353b..07e0c1a88 100644 --- a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml +++ b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml @@ -24,7 +24,7 @@ content: "{{ item.content | b64decode }}" owner: root group: root - mode: 0600 + mode: 0640 no_log: true register: copy_kubeadm_certs with_items: "{{ kubeadm_certs.results }}" diff --git a/roles/kubernetes/master/tasks/kubeadm-version.yml b/roles/kubernetes/master/tasks/kubeadm-version.yml index 9da44b9ad..7df68b329 100644 --- a/roles/kubernetes/master/tasks/kubeadm-version.yml +++ b/roles/kubernetes/master/tasks/kubeadm-version.yml @@ -12,3 +12,4 @@ template: src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2" dest: "{{ kube_config_dir }}/kubeadm-config.yaml" + mode: 0640