Fix risky-file-permissions (#8370)

When running ansible-lint directly, we can see a lot of warning message like risky-file-permissions File permissions unset or incorrect This fixes the warning messages.
2026-02-13 17:24:51 -03:30 · 2022-01-09 01:51:12 -08:00
parent 51bd9bee0d
commit f80fd24a55
48 changed files with 76 additions and 1 deletions
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -20,6 +20,7 @@
  template:
    src: "cni-calico.conflist.j2"
    dest: "/etc/cni/net.d/calico.conflist.template"
+    mode: 0644
    owner: root
  register: calico_conflist
  notify: reset_calico_cni
@@ -126,6 +127,7 @@
      assemble:
        src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds"
        dest: "{{ kube_config_dir }}/kdd-crds.yml"
+        mode: 0644
        delimiter: "---\n"
        regexp: ".*\\.yaml"
        remote_src: true
@@ -330,6 +332,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: calico-config, file: calico-config.yml, type: cm}
    - {name: calico-node, file: calico-node.yml, type: ds}
@@ -346,6 +349,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: calico, file: calico-typha.yml, type: typha}
  register: calico_node_typha_manifest
--- a/roles/network_plugin/calico/tasks/typha_certs.yml
+++ b/roles/network_plugin/calico/tasks/typha_certs.yml
@@ -9,6 +9,7 @@
  file:
    path: /etc/calico/certs
    state: directory
+    mode: 0755
  when: typha_server_secret.rc != 0

 - name: Calico | Copy ssl script for typha certs
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -3,6 +3,7 @@
  template:
    src: "cni-canal.conflist.j2"
    dest: "/etc/cni/net.d/canal.conflist.template"
+    mode: 0644
    owner: kube
  register: canal_conflist
  notify: reset_canal_cni
@@ -50,6 +51,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: canal-config, file: canal-config.yaml, type: cm}
    - {name: canal-node, file: canal-node.yaml, type: ds}
@@ -74,3 +76,4 @@
  file:
    path: "{{ canal_policy_dir }}"
    state: directory
+    mode: 0755
--- a/roles/network_plugin/cilium/tasks/install.yml
+++ b/roles/network_plugin/cilium/tasks/install.yml
@@ -18,6 +18,7 @@
  file:
    src: "{{ etcd_cert_dir }}/{{ item.s }}"
    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
+    mode: 0644
    state: hard
    force: yes
  loop:
@@ -40,6 +41,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  loop:
    - {name: cilium, file: cilium-config.yml, type: cm}
    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
@@ -57,6 +59,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/hubble/{{ item.file }}"
+    mode: 0644
  loop:
    - {name: hubble, file: hubble-config.yml, type: cm}
    - {name: hubble, file: hubble-crb.yml, type: clusterrolebinding}
@@ -76,4 +79,5 @@
  template:
    src: 000-cilium-portmap.conflist.j2
    dest: /etc/cni/net.d/000-cilium-portmap.conflist
+    mode: 0644
  when: cilium_enable_portmap
--- a/roles/network_plugin/flannel/tasks/main.yml
+++ b/roles/network_plugin/flannel/tasks/main.yml
@@ -15,6 +15,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: flannel, file: cni-flannel-rbac.yml, type: sa}
    - {name: kube-flannel, file: cni-flannel.yml, type: ds}
--- a/roles/network_plugin/kube-ovn/tasks/main.yml
+++ b/roles/network_plugin/kube-ovn/tasks/main.yml
@@ -9,6 +9,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: kube-ovn-crd, file: cni-kube-ovn-crd.yml}
    - {name: ovn, file: cni-ovn.yml}
--- a/roles/network_plugin/kube-router/tasks/main.yml
+++ b/roles/network_plugin/kube-router/tasks/main.yml
@@ -15,6 +15,7 @@
  template:
    src: kubeconfig.yml.j2
    dest: /var/lib/kube-router/kubeconfig
+    mode: 0644
    owner: kube
  notify:
    - reset_kube_router
@@ -42,6 +43,7 @@
  template:
    src: cni-conf.json.j2
    dest: /etc/cni/net.d/10-kuberouter.conflist
+    mode: 0644
    owner: kube
  notify:
    - reset_kube_router
@@ -55,5 +57,6 @@
  template:
    src: kube-router.yml.j2
    dest: "{{ kube_config_dir }}/kube-router.yml"
+    mode: 0644
  delegate_to: "{{ groups['kube_control_plane'] | first }}"
  run_once: true
--- a/roles/network_plugin/macvlan/tasks/main.yml
+++ b/roles/network_plugin/macvlan/tasks/main.yml
@@ -23,6 +23,7 @@
  template:
    src: debian-network-macvlan.cfg.j2
    dest: /etc/network/interfaces.d/60-mac0.cfg
+    mode: 0644
  notify: Macvlan | restart network
  when: ansible_os_family in ["Debian"]

@@ -50,6 +51,7 @@
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/sysconfig/network-scripts/{{ item.dst }}"
+    mode: 0644
  with_items:
    - {src: centos-network-macvlan.cfg, dst: ifcfg-mac0 }
    - {src: centos-routes-macvlan.cfg, dst: route-mac0 }
@@ -61,6 +63,7 @@
  template:
    src: coreos-service-nat_ouside.j2
    dest: /etc/systemd/system/enable_nat_ouside.service
+    mode: 0644
  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and enable_nat_default_gateway

 - name: Macvlan | Enable service nat via gateway on Flatcar Container Linux
@@ -74,6 +77,7 @@
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/systemd/network/{{ item.dst }}"
+    mode: 0644
  with_items:
    - {src: coreos-device-macvlan.cfg, dst: macvlan.netdev }
    - {src: coreos-interface-macvlan.cfg, dst: output.network }
@@ -85,11 +89,13 @@
  template:
    src: 10-macvlan.conf.j2
    dest: /etc/cni/net.d/10-macvlan.conf
+    mode: 0644

 - name: Macvlan | Install loopback definition for Macvlan
  template:
    src: 99-loopback.conf.j2
    dest: /etc/cni/net.d/99-loopback.conf
+    mode: 0644

 - name: Enable net.ipv4.conf.all.arp_notify in sysctl
  sysctl:
--- a/roles/network_plugin/multus/tasks/main.yml
+++ b/roles/network_plugin/multus/tasks/main.yml
@@ -3,6 +3,7 @@
  copy:
    src: "{{ item.file }}"
    dest: "{{ kube_config_dir }}"
+    mode: 0644
  with_items:
    - {name: multus-crd, file: multus-crd.yml, type: customresourcedefinition}
    - {name: multus-serviceaccount, file: multus-serviceaccount.yml, type: serviceaccount}
@@ -14,6 +15,7 @@
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
  with_items:
    - {name: multus-daemonset, file: multus-daemonset.yml, type: daemonset}
  register: multus_manifest_2
--- a/roles/network_plugin/weave/tasks/main.yml
+++ b/roles/network_plugin/weave/tasks/main.yml
@@ -3,8 +3,10 @@
  template:
    src: weave-net.yml.j2
    dest: "{{ kube_config_dir }}/weave-net.yml"
+    mode: 0644

 - name: Weave | Fix nodePort for Weave
  template:
    src: 10-weave.conflist.j2
    dest: /etc/cni/net.d/10-weave.conflist
+    mode: 0644