diff --git a/roles/kubernetes/master/tasks/kubeadm-certificate.yml b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
index c3d486b83c68744962191ba693e69d8d2a021eb2..03ebe25365c93baca0eaa446353946a30d5706e5 100644
--- a/roles/kubernetes/master/tasks/kubeadm-certificate.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.crt, dest: apiserver.crt.old}
diff --git a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
index 4200e6d7147a94abd0fb623d97158c940d30b8df..6ebfb179a916b2c08e30e56d6798a173e9c99c44 100644
--- a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
@@ -26,6 +26,7 @@
   copy:
     src: "{{ kubeconfig_temp_dir.path }}/{{ item }}"
     dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0640
     remote_src: yes
   when: kubeconfig_correct_apiserver.rc != 0
   with_items:
diff --git a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
index 043530c4af7425045d40dfd2eb2f4b16f27e6dc2..cae5749cf8301a7c2ab8a4caf9e9c27ecaa56e88 100644
--- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.pem, dest: apiserver.crt}
diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
index ccb6ddab694a819ee51d00a837e9ee947bf13aa4..234cbda8775770a745f7cce3a9cafc7fb82f7e85 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
@@ -32,6 +32,7 @@
   template:
     src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
+    mode: 0640
     backup: yes
   when:
     - inventory_hostname != groups['kube-master']|first
diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
index 6f613353bb5e319505d4073b5dd09f5e67ef7344..07e0c1a88b1533f65f1260678542bc76b2988560 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
@@ -24,7 +24,7 @@
     content: "{{ item.content | b64decode }}"
     owner: root
     group: root
-    mode: 0600
+    mode: 0640
   no_log: true
   register: copy_kubeadm_certs
   with_items: "{{ kubeadm_certs.results }}"
diff --git a/roles/kubernetes/master/tasks/kubeadm-version.yml b/roles/kubernetes/master/tasks/kubeadm-version.yml
index 9da44b9adc8678784de997a714a2d99e2cba4de0..7df68b3295b135298428bcee7ca5c5c927ea1ffe 100644
--- a/roles/kubernetes/master/tasks/kubeadm-version.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-version.yml
@@ -12,3 +12,4 @@
   template:
     src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
+    mode: 0640