diff --git a/go.mod b/go.mod index 6e89ef040..5cb853c80 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( golang.org/x/time v0.15.0 google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af gopkg.in/evanphx/json-patch.v4 v4.13.0 - k8s.io/api v0.0.0-20260626173204-0669b8f44d17 + k8s.io/api v0.0.0-20260626213116-2b6c2012d75f k8s.io/apimachinery v0.0.0-20260626172716-6fa8dff7b19f k8s.io/klog/v2 v2.140.0 k8s.io/kube-openapi v0.0.0-20260618221249-bc653b64f974 diff --git a/go.sum b/go.sum index a91fc0984..02fbd1542 100644 --- a/go.sum +++ b/go.sum @@ -118,8 +118,8 @@ gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.0.0-20260626173204-0669b8f44d17 h1:ugKw3OKEv7LEx9Qy1DyqAZ8coG+a97DrX9yghW7Ert4= -k8s.io/api v0.0.0-20260626173204-0669b8f44d17/go.mod h1:7NNJfcrPo0BNrOSUudMNZpLxWf/OYIRNbwS+/yAaJwg= +k8s.io/api v0.0.0-20260626213116-2b6c2012d75f h1:WfCuhwj5sO/oWkTS3MovBWuwL7vBXPWn2ROuQf26qok= +k8s.io/api v0.0.0-20260626213116-2b6c2012d75f/go.mod h1:7NNJfcrPo0BNrOSUudMNZpLxWf/OYIRNbwS+/yAaJwg= k8s.io/apimachinery v0.0.0-20260626172716-6fa8dff7b19f h1:WAFkshKyNvj5avlHoK0nhd0B0G+O+YUH3ntvUkUmDsE= k8s.io/apimachinery v0.0.0-20260626172716-6fa8dff7b19f/go.mod h1:T9tvL1Yxf+TRVyTz+Q7KtLAncCr9xxxx1zrF6g/QuR0= k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= diff --git a/tools/clientcmd/loader.go b/tools/clientcmd/loader.go index d1d0a8295..398de04f6 100644 --- a/tools/clientcmd/loader.go +++ b/tools/clientcmd/loader.go @@ -300,7 +300,8 @@ func (rules *ClientConfigLoadingRules) Migrate() error { return err } - if sourceInfo, err := os.Stat(source); err != nil { + sourceInfo, err := os.Stat(source) + if err != nil { if os.IsNotExist(err) || os.IsPermission(err) { // if the source file doesn't exist or we can't access it, there's no work to do. continue @@ -316,8 +317,8 @@ func (rules *ClientConfigLoadingRules) Migrate() error { if err != nil { return err } - // destination is created with mode 0666 before umask - err = os.WriteFile(destination, data, 0666) + // destination created with source perm, but never executable, and subject to umask + err = os.WriteFile(destination, data, sourceInfo.Mode().Perm()&0666) if err != nil { return err } diff --git a/tools/clientcmd/loader_test.go b/tools/clientcmd/loader_test.go index 22006aa6c..34fe4aa47 100644 --- a/tools/clientcmd/loader_test.go +++ b/tools/clientcmd/loader_test.go @@ -656,6 +656,19 @@ func TestMigratingFile(t *testing.T) { if !reflect.DeepEqual(sourceContent, destinationContent) { t.Errorf("source and destination do not match") } + + // destination file permissions should be the same as the source file permissions + sourceInfo, err := os.Stat(sourceFile.Name()) + if err != nil { + t.Errorf("unexpected error %v", err) + } + destinationInfo, err := os.Stat(destinationFile.Name()) + if err != nil { + t.Errorf("unexpected error %v", err) + } + if destinationInfo.Mode().Perm() != sourceInfo.Mode().Perm() { + t.Errorf("expected permissions %v, got %v", sourceInfo.Mode().Perm(), destinationInfo.Mode().Perm()) + } } func TestMigratingFileLeaveExistingFileAlone(t *testing.T) {