Make kubeconfig not world readable and issue warning with kubectl wrapper

pkg/kubectl/main.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/rancher/k3s/pkg/server"
+	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
 	utilflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
@@ -21,6 +22,9 @@ func Main() {
 		if _, serr := os.Stat(config); err == nil && serr == nil {
 			os.Setenv("KUBECONFIG", config)
 		}
+		if err := checkReadConfigPermissions(config); err != nil {
+			logrus.Warn(err)
+		}
 	}
 
 	main()
@@ -45,3 +49,15 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+func checkReadConfigPermissions(configFile string) error {
+	file, err := os.OpenFile(configFile, os.O_RDONLY, 0600)
+	if err != nil {
+		if os.IsPermission(err) {
+			return fmt.Errorf("Unable to read %s, please start server "+
+				"with --write-kubeconfig-mode to modify kube config permissions", configFile)
+		}
+	}
+	file.Close()
+	return nil
+}

pkg/server/server.go

@@ -231,7 +231,7 @@ func writeKubeConfig(certs string, tlsConfig *dynamiclistener.UserConfig, config
 			logrus.Errorf("failed to set %s to mode %s: %v", kubeConfig, os.FileMode(mode), err)
 		}
 	} else {
-		os.Chmod(kubeConfig, os.FileMode(0644))
+		os.Chmod(kubeConfig, os.FileMode(0600))
 	}
 
 	logrus.Infof("Wrote kubeconfig %s", kubeConfig)