diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index 320c20ad3a4a28d7a510a596f4dc6987eb84332d..2b781af631b526fa14ccbb8297298e26e0acd285 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -20,6 +20,7 @@
     src: "{{ etcd_cert_dir }}/{{ item.s }}"
     dest: "{{ canal_cert_dir }}/{{ item.d }}"
     state: hard
+    mode: 0640
     force: yes
   with_items:
     - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}