kubeadm: the permissions of generated CSR files are changed from 0644 to 0600

cmd/kubeadm/app/util/pkiutil/pki_helpers.go

@@ -153,20 +153,20 @@ func WriteKey(pkiPath, name string, key crypto.Signer) error {
 }
 
 // WriteCSR writes the pem-encoded CSR data to csrPath.
-// The CSR file will be created with file mode 0644.
+// The CSR file will be created with file mode 0600.
 // If the CSR file already exists, it will be overwritten.
-// The parent directory of the csrPath will be created as needed with file mode 0755.
+// The parent directory of the csrPath will be created as needed with file mode 0700.
 func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
 	if csr == nil {
 		return errors.New("certificate request cannot be nil when writing to file")
 	}
 
 	csrPath := pathForCSR(csrDir, name)
-	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0700)); err != nil {
 		return errors.Wrapf(err, "failed to make directory %s", filepath.Dir(csrPath))
 	}
 
-	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0644)); err != nil {
+	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0600)); err != nil {
 		return errors.Wrapf(err, "unable to write CSR to file %s", csrPath)
 	}