External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-16 10:40:04 -03:30
Code Issues Packages Projects Releases Wiki Activity

Set filemode to 0640 (#2315)

Browse Source 
* Set filemode to 0640

weave-net.yml file is readable by all users on the host. It however contains the weave_password to encrypt all pod communication. It should only be readable by root.

* Set mode 0640 on users_file with basic auth
This commit is contained in:
Andreas Krüger
2018-02-21 21:13:46 +01:00
committed by Matthew Mosesohn
parent bfe196236f
commit d84ff06f73
2 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/kubernetes/master/tasks/users-file.yml
View File

@@ -10,5 +10,6 @@
template: template:
src: known_users.csv.j2 src: known_users.csv.j2
dest: "{{ kube_users_dir }}/known_users.csv" dest: "{{ kube_users_dir }}/known_users.csv"
mode: 0640
backup: yes backup: yes
notify: Master | set secret_changed notify: Master | set secret_changed

1
roles/network_plugin/weave/tasks/main.yml
View File

@@ -17,4 +17,5 @@
template: template:
src: weave-net.yml.j2 src: weave-net.yml.j2
dest: "{{ kube_config_dir }}/weave-net.yml" dest: "{{ kube_config_dir }}/weave-net.yml"
mode: 0640
register: weave_manifest register: weave_manifest