capi: suppress warnings on creating files without mode

Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` is not specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to 0600 when creating files, as much as possible. See also ansible/ansible#71200 .
kinvolk · Aug 21, 2020 · 5809613 · 5809613
1 parent 7d005e9
commit 5809613
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 1 deletion.
diff --git a/images/capi/ansible/roles/containerd/tasks/main.yml b/images/capi/ansible/roles/containerd/tasks/main.yml
@@ -28,6 +28,7 @@
     url: "{{ containerd_url }}"
     checksum: "sha256:{{ containerd_sha256 }}"
     dest: /tmp/containerd.tar.gz
+    mode: 0600
 
 # TODO(vincepri): This unpacks the entire tar in the root directory
 # we should find a better way to check what's being unpacked and where.
@@ -50,21 +51,25 @@
     section: Service
     option: Type
     value: notify
+    mode: 0600
 
 - name: Create containerd boot order drop in file
   template:
     dest: /etc/systemd/system/containerd.service.d/boot-order.conf
     src: etc/systemd/system/containerd.service.d/boot-order.conf
+    mode: 0600
 
 - name: Create containerd memory pressure drop in file
   template:
     dest: /etc/systemd/system/containerd.service.d/memory-pressure.conf
     src: etc/systemd/system/containerd.service.d/memory-pressure.conf
+    mode: 0600
 
 - name: Create containerd max tasks drop in file
   template:
     dest: /etc/systemd/system/containerd.service.d/max-tasks.conf
     src: etc/systemd/system/containerd.service.d/max-tasks.conf
+    mode: 0600
 
 - name: Creates containerd config directory
   file:
@@ -75,6 +80,7 @@
   template:
     dest: /etc/containerd/config.toml
     src: etc/containerd/config.toml
+    mode: 0600
 
 - name: start containerd service
   systemd:
@@ -86,4 +92,4 @@
 - name: delete tarball
   file:
     path: /tmp/containerd.tar.gz
-    state: absent
+    state: absent
diff --git a/images/capi/ansible/roles/kubernetes/tasks/kubeadmpull.yml b/images/capi/ansible/roles/kubernetes/tasks/kubeadmpull.yml
@@ -2,6 +2,7 @@
   template:
     dest: /etc/kubeadm.yml
     src: "{{ kubeadm_template }}"
+    mode: 0600
 
 - name: Kubeadm pull images
   shell: 'kubeadm config images pull --config /etc/kubeadm.yml'

diff --git a/images/capi/ansible/roles/kubernetes/tasks/main.yml b/images/capi/ansible/roles/kubernetes/tasks/main.yml
@@ -33,6 +33,7 @@
   template:
     dest: /etc/kubernetes-version
     src: etc/kubernetes-version
+    mode: 0600
 
 # TODO: This section will be deprecated once https://github.com/containerd/cri/issues/1131 is fixed. It is used to support ECR with containerd.
 - name: Check if Kubernetes container registry is using Amazon ECR

diff --git a/images/capi/ansible/roles/kubernetes/tasks/url.yml b/images/capi/ansible/roles/kubernetes/tasks/url.yml
@@ -72,6 +72,7 @@
     #             checksum file format
     #checksum: "sha1:{{ kubernetes_http_source }}/bin/linux/amd64/{{ item }}.sha1"
     dest: "/tmp/{{ item }}"
+    mode: 0600
   loop: "{{ kubernetes_imgs }}"
 
 - name: Load Kubernetes images

diff --git a/images/capi/ansible/roles/node/tasks/main.yml b/images/capi/ansible/roles/node/tasks/main.yml
@@ -34,6 +34,7 @@
       overlay
       br_netfilter
     dest: /etc/modules-load.d/kubernetes.conf
+    mode: 0600
 
 - name: Ensure net.ipv4.ip_forward sysctl is present
   sysctl: