Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust default kubeconfig file permissions #7978

Merged
merged 2 commits into from
Jul 14, 2023
Merged

Adjust default kubeconfig file permissions #7978

merged 2 commits into from
Jul 14, 2023

Conversation

dereknola
Copy link
Member

@dereknola dereknola commented Jul 14, 2023
edited
Loading

Signed-off-by: Derek Nola [email protected]

Proposed Changes

cis-1.24 and newer (the upcoming cis-1.7, yes the name is weird) have moved to a more restrictive kubeconfig default. As the folder var/lib/rancher/k3s/server/cred containing these files is restricted to root users only, further restricting the files to read only for root does not present a huge change in file access.

Types of Changes

Verification

  • Start k3s
root $ stat -c "%a %n" /var/lib/rancher/k3s/server/cred/* 
600 /var/lib/rancher/k3s/server/cred/admin.kubeconfig
600 /var/lib/rancher/k3s/server/cred/api-server.kubeconfig
600 /var/lib/rancher/k3s/server/cred/cloud-controller.kubeconfig
600 /var/lib/rancher/k3s/server/cred/controller.kubeconfig
600 /var/lib/rancher/k3s/server/cred/ipsec.psk
600 /var/lib/rancher/k3s/server/cred/passwd
600 /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig
600 /var/lib/rancher/k3s/server/cred/supervisor.kubeconfig

All .kubeconfig files should be 600 permissions

Testing

Linked Issues

#7975

User-Facing Change

Further Comments

@dereknola dereknola requested a review from a team as a code owner July 14, 2023 19:39
@dereknola dereknola changed the title [WIP] Adjust default kubeconfig permissions [WIP] Adjust default kubeconfig file permissions Jul 14, 2023
brandond
brandond requested changes Jul 14, 2023
View reviewed changes
pkg/daemons/control/deps/deps.go Outdated Show resolved Hide resolved
@dereknola dereknola changed the title [WIP] Adjust default kubeconfig file permissions Adjust default kubeconfig file permissions Jul 14, 2023
@dereknola
Copy link
Member Author

Merging, arm CI runners are currently full.

@dereknola dereknola merged commit be44243 into k3s-io:master Jul 14, 2023
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 14, 2023
@dereknola
Adjust default kubeconfig file permissions (k3s-io#7978)
0b3d670 
* Adjust default kubeconfig permissions

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 14, 2023
@dereknola
Adjust default kubeconfig file permissions (k3s-io#7978)
07b5bd3 
* Adjust default kubeconfig permissions

Signed-off-by: Derek Nola <[email protected]>
dereknola added a commit to dereknola/k3s that referenced this pull request Jul 14, 2023
@dereknola
Adjust default kubeconfig file permissions (k3s-io#7978)
bc01d70 
* Adjust default kubeconfig permissions

Signed-off-by: Derek Nola <[email protected]>
This was referenced Jul 14, 2023
Merged
Merged
Merged
@dereknola dereknola deleted the cis-1.24-file-perm branch July 18, 2023 18:39
@cguertin14 cguertin14 mentioned this pull request Aug 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osodracnai osodracnai osodracnai approved these changes

@brandond brandond brandond approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dereknola @brandond @osodracnai