Set certs and files with kubeadm token to mode 0640 (#5325)

Change-Id: I298496e55a6889c158b2085fcadeda5e679a873e

roles/kubernetes/master/tasks/kubeadm-certificate.yml

@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.crt, dest: apiserver.crt.old}

roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml

@@ -26,6 +26,7 @@
   copy:
     src: "{{ kubeconfig_temp_dir.path }}/{{ item }}"
     dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0640
     remote_src: yes
   when: kubeconfig_correct_apiserver.rc != 0
   with_items:

roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.pem, dest: apiserver.crt}

roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml

@@ -32,6 +32,7 @@
   template:
     src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
+    mode: 0640
     backup: yes
   when:
     - inventory_hostname != groups['kube-master']|first

roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml

@@ -24,7 +24,7 @@
     content: "{{ item.content | b64decode }}"
     owner: root
     group: root
-    mode: 0600
+    mode: 0640
   no_log: true
   register: copy_kubeadm_certs
   with_items: "{{ kubeadm_certs.results }}"

roles/kubernetes/master/tasks/kubeadm-version.yml

@@ -12,3 +12,4 @@
   template:
     src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
+    mode: 0640