Update Kubernetes PKI certificate file permissions

Signed-off-by: bmelbourne <[email protected]>
kubernetes-sigs · Apr 23, 2024 · 7b6c6bf · 7b6c6bf
1 parent ab0ef18
commit 7b6c6bf
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 10 deletions.
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -194,12 +194,26 @@
  tags:
  - kube-proxy
 
+- name: Set kubernetes pki certificate file permissions
+ file:
+ path: "{{ kube_cert_dir }}/{{ item }}"
+ owner: root
+ group: root
+ mode: 0600
+ with_items:
+ - apiserver-kubelet-client.crt
+ - apiserver.crt
+ - front-proxy-ca.crt
+ - front-proxy-client.crt
+ when:
+ - inventory_hostname in groups['kube_control_plane']
+
 - name: Set ca.crt file permission
  file:
  path: "{{ kube_cert_dir }}/ca.crt"
  owner: root
  group: root
- mode: "0644"
+ mode: 0600
 
 - name: Restart all kube-proxy pods to ensure that they load the new configmap
  command: "{{ kubectl }} delete pod -n kube-system -l k8s-app=kube-proxy --force --grace-period=0"

diff --git a/roles/kubernetes/preinstall/tasks/0050-create_directories.yml b/roles/kubernetes/preinstall/tasks/0050-create_directories.yml
@@ -5,6 +5,11 @@
  state: directory
  owner: "{{ kube_owner }}"
  mode: 0755
+ with_items:
+ - "{{ kube_config_dir }}"
+ - "{{ kube_manifest_dir }}"
+ - "{{ kube_script_dir }}"
+ - "{{ kubelet_flexvolumes_plugins_dir }}"
  when: inventory_hostname in groups['k8s_cluster']
  become: true
  tags:
@@ -17,18 +22,35 @@
  - network
  - master
  - node
- with_items:
- - "{{ kube_config_dir }}"
- - "{{ kube_manifest_dir }}"
- - "{{ kube_script_dir }}"
- - "{{ kubelet_flexvolumes_plugins_dir }}"
 
 - name: Create other directories of root owner
  file:
  path: "{{ item }}"
  state: directory
  owner: root
  mode: 0755
+ with_items:
+ - "{{ bin_dir }}"
+ when: inventory_hostname in groups['k8s_cluster']
+ become: true
+ tags:
+ - kubelet
+ - k8s-secrets
+ - kube-controller-manager
+ - kube-apiserver
+ - bootstrap-os
+ - apps
+ - network
+ - master
+ - node
+
+- name: Create kubernetes pki directory
+ file:
+ path: "{{ kube_cert_dir }}"
+ state: directory
+ owner: root
+ group: root
+ mode: 0700
  when: inventory_hostname in groups['k8s_cluster']
  become: true
  tags:
@@ -41,9 +63,6 @@
  - network
  - master
  - node
- with_items:
- - "{{ kube_cert_dir }}"
- - "{{ bin_dir }}"
 
 - name: Check if kubernetes kubeadm compat cert dir exists
  stat:
@@ -61,7 +80,7 @@
  src: "{{ kube_cert_dir }}"
  dest: "{{ kube_cert_compat_dir }}"
  state: link
- mode: 0755
+ mode: 0700
  when:
  - inventory_hostname in groups['k8s_cluster']
  - kube_cert_dir != kube_cert_compat_dir