Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm: change the permissions of generated CSR files from 0644 to 0600 #81217

Merged
merged 1 commit into from Aug 12, 2019

Conversation

@SataQiu
Copy link
Member

commented Aug 9, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
kubeadm: change the permissions of generated CSR files from 0644 to 0600.
I found that we had already set the permissions of 0600 for the kubernetes configuration files.
Ref: https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/util/kubeconfig/kubeconfig.go#L95

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#1716

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kubeadm: the permissions of generated CSR files are changed from 0644 to 0600

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@SataQiu

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2019

/test pull-kubernetes-integration

@dixudx
dixudx approved these changes Aug 9, 2019
Copy link
Member

left a comment

/lgtm
/approve

@SataQiu

This comment has been minimized.

Copy link
Member Author

commented Aug 9, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@neolit123

This comment has been minimized.

Copy link
Member

commented Aug 9, 2019

@SataQiu thanks, are these the only file permissions we have to modify?
/assign @rosti
for final approve.

@SataQiu

This comment has been minimized.

Copy link
Member Author

commented Aug 12, 2019

I'm not sure what permissions we should apply for CSR files now.
I found that client-go :

Should CSR have the same permission as CRT?
Do we need to follow client-go? kubeadm uses client-go to generate certificate files in some places.

@neolit123 @rosti

@rosti
rosti approved these changes Aug 12, 2019
Copy link
Member

left a comment

Thanks @SataQiu !
I did look around and it appears, that this is the only place where PKI permissions are messed up.
The proposed permissions (0700 for the containing dir and 0600 for the CSR itself seem adequate to me).
/approve

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dixudx, rosti, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fejta-bot

This comment has been minimized.

Copy link

commented Aug 12, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit ca62905 into kubernetes:master Aug 12, 2019
23 checks passed
23 checks passed
cla/linuxfoundation SataQiu authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Aug 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.