From db5040e6eab1f28fac95c1054f0d49e446a0b13e Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Mon, 11 Nov 2019 16:41:41 +0300
Subject: [PATCH] Set certs and files with kubeadm token to mode 0640 (#5325)

Change-Id: I298496e55a6889c158b2085fcadeda5e679a873e
---
 roles/kubernetes/master/tasks/kubeadm-certificate.yml           | 1 +
 roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml         | 1 +
 roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml         | 1 +
 .../kubernetes/master/tasks/kubeadm-secondary-experimental.yml  | 1 +
 roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml      | 2 +-
 roles/kubernetes/master/tasks/kubeadm-version.yml               | 1 +
 6 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes/master/tasks/kubeadm-certificate.yml b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
index c3d486b83..03ebe2536 100644
--- a/roles/kubernetes/master/tasks/kubeadm-certificate.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.crt, dest: apiserver.crt.old}
diff --git a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
index 4200e6d71..6ebfb179a 100644
--- a/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-fix-apiserver.yml
@@ -26,6 +26,7 @@
   copy:
     src: "{{ kubeconfig_temp_dir.path }}/{{ item }}"
     dest: "{{ kube_config_dir }}/{{ item }}"
+    mode: 0640
     remote_src: yes
   when: kubeconfig_correct_apiserver.rc != 0
   with_items:
diff --git a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
index 043530c4a..cae5749cf 100644
--- a/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml
@@ -3,6 +3,7 @@
   copy:
     src: "{{ kube_cert_dir }}/{{ item.src }}"
     dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    mode: 0640
     remote_src: yes
   with_items:
     - {src: apiserver.pem, dest: apiserver.crt}
diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
index ccb6ddab6..234cbda87 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-experimental.yml
@@ -32,6 +32,7 @@
   template:
     src: "kubeadm-controlplane.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-controlplane.yaml"
+    mode: 0640
     backup: yes
   when:
     - inventory_hostname != groups['kube-master']|first
diff --git a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
index 6f613353b..07e0c1a88 100644
--- a/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-secondary-legacy.yml
@@ -24,7 +24,7 @@
     content: "{{ item.content | b64decode }}"
     owner: root
     group: root
-    mode: 0600
+    mode: 0640
   no_log: true
   register: copy_kubeadm_certs
   with_items: "{{ kubeadm_certs.results }}"
diff --git a/roles/kubernetes/master/tasks/kubeadm-version.yml b/roles/kubernetes/master/tasks/kubeadm-version.yml
index 9da44b9ad..7df68b329 100644
--- a/roles/kubernetes/master/tasks/kubeadm-version.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-version.yml
@@ -12,3 +12,4 @@
   template:
     src: "kubeadm-config.{{ kubeadmConfig_api_version }}.yaml.j2"
     dest: "{{ kube_config_dir }}/kubeadm-config.yaml"
+    mode: 0640
-- 
GitLab