Make kubeconfig not world readable and issue warning with kubectl wrapper

2024-06-07 19:41:36 +00:00 · 2019-05-09 00:54:52 +02:00 · 2019-05-09 00:54:52 +02:00 · 36bab003a3
commit 36bab003a3
parent 1d42fc9755
2 changed files with 17 additions and 1 deletions
--- a/pkg/kubectl/main.go
+++ b/pkg/kubectl/main.go
@ -8,6 +8,7 @@ import (
 	"time"
 	"github.com/rancher/k3s/pkg/server"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
 	utilflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
@ -21,6 +22,9 @@ func Main() {
 		if _, serr := os.Stat(config); err == nil && serr == nil {
 			os.Setenv("KUBECONFIG", config)
 		}
 		if err := checkReadConfigPermissions(config); err != nil {
 			logrus.Warn(err)
 		}
 	}
 	main()
@ -45,3 +49,15 @@ func main() {
 		os.Exit(1)
 	}
 }
 func checkReadConfigPermissions(configFile string) error {
 	file, err := os.OpenFile(configFile, os.O_RDONLY, 0600)
 	if err != nil {
 		if os.IsPermission(err) {
 			return fmt.Errorf("Unable to read %s, please start server "+
 				"with --write-kubeconfig-mode to modify kube config permissions", configFile)
 		}
 	}
 	file.Close()
 	return nil
 }
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -231,7 +231,7 @@ func writeKubeConfig(certs string, tlsConfig *dynamiclistener.UserConfig, config
 			logrus.Errorf("failed to set %s to mode %s: %v", kubeConfig, os.FileMode(mode), err)
 		}
 	} else {
-		os.Chmod(kubeConfig, os.FileMode(0644))
+		os.Chmod(kubeConfig, os.FileMode(0600))
 	}
 	logrus.Infof("Wrote kubeconfig %s", kubeConfig)