From 36bab003a3f653fb1bf162e726e2e7c965378089 Mon Sep 17 00:00:00 2001 From: galal-hussein Date: Thu, 9 May 2019 00:54:52 +0200 Subject: [PATCH] Make kubeconfig not world readable and issue warning with kubectl wrapper --- pkg/kubectl/main.go | 16 ++++++++++++++++ pkg/server/server.go | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/pkg/kubectl/main.go b/pkg/kubectl/main.go index edf998ce98..0c23fbd1ab 100644 --- a/pkg/kubectl/main.go +++ b/pkg/kubectl/main.go @@ -8,6 +8,7 @@ import ( "time" "github.com/rancher/k3s/pkg/server" + "github.com/sirupsen/logrus" "github.com/spf13/pflag" utilflag "k8s.io/component-base/cli/flag" "k8s.io/component-base/logs" @@ -21,6 +22,9 @@ func Main() { if _, serr := os.Stat(config); err == nil && serr == nil { os.Setenv("KUBECONFIG", config) } + if err := checkReadConfigPermissions(config); err != nil { + logrus.Warn(err) + } } main() @@ -45,3 +49,15 @@ func main() { os.Exit(1) } } + +func checkReadConfigPermissions(configFile string) error { + file, err := os.OpenFile(configFile, os.O_RDONLY, 0600) + if err != nil { + if os.IsPermission(err) { + return fmt.Errorf("Unable to read %s, please start server "+ + "with --write-kubeconfig-mode to modify kube config permissions", configFile) + } + } + file.Close() + return nil +} diff --git a/pkg/server/server.go b/pkg/server/server.go index 43a7d4e920..a58bf3f454 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -231,7 +231,7 @@ func writeKubeConfig(certs string, tlsConfig *dynamiclistener.UserConfig, config logrus.Errorf("failed to set %s to mode %s: %v", kubeConfig, os.FileMode(mode), err) } } else { - os.Chmod(kubeConfig, os.FileMode(0644)) + os.Chmod(kubeConfig, os.FileMode(0600)) } logrus.Infof("Wrote kubeconfig %s", kubeConfig)