From 696fcaf39190703346e49203e8242c148fd67e8b Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Wed, 11 Dec 2019 11:54:04 +0300
Subject: [PATCH] Ensure 0644 mode for ca.crt on nodes (#5428)

Change-Id: I5e018dfaeffe314300b373aeb7ed5f59929cf4f9
---
 roles/kubernetes/kubeadm/tasks/main.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index 88574725a..97ad3e73a 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -119,6 +119,13 @@
   tags:
     - kube-proxy
 
+- name: Set ca.crt file permission
+  file:
+    path: "{{ kube_cert_dir }}/ca.crt"
+    owner: root
+    group: root
+    mode: "0644"
+
 - name: Restart all kube-proxy pods to ensure that they load the new configmap
   shell: "{{ bin_dir }}/kubectl --kubeconfig {{ kube_config_dir }}/admin.conf delete pod -n kube-system -l k8s-app=kube-proxy --force --grace-period=0"
   run_once: true
-- 
GitLab