github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #57052 from mikedanese/umask

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 56858, 57040, 56979, 57051, 57052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

gce: tighten up perms on kube-env

fixes https://github.com/kubernetes/kubernetes/issues/52999

@roberthbailey @tallclair
This commit is contained in:
Kubernetes Submit Queue 2017-12-16 16:34:50 -08:00 committed by GitHub
commit 4fb55d9136
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/gce/configure-vm.sh
View File

@ -181,6 +181,7 @@ function curl-metadata() {
} }
function set-kube-env() { function set-kube-env() {
(umask 700;
local kube_env_yaml="${INSTALL_DIR}/kube_env.yaml" local kube_env_yaml="${INSTALL_DIR}/kube_env.yaml"
until curl-metadata kube-env > "${kube_env_yaml}"; do until curl-metadata kube-env > "${kube_env_yaml}"; do
@ -196,6 +197,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v)))) print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v))))
print("""export {var}""".format(var = k)) print("""export {var}""".format(var = k))
' < """${kube_env_yaml}""")" ' < """${kube_env_yaml}""")"
)
} }
function remove-docker-artifacts() { function remove-docker-artifacts() {

4
cluster/gce/gci/configure.sh
View File

@ -48,6 +48,7 @@ EOF
function download-kube-env { function download-kube-env {
# Fetch kube-env from GCE metadata server. # Fetch kube-env from GCE metadata server.
(umask 700;
local -r tmp_kube_env="/tmp/kube-env.yaml" local -r tmp_kube_env="/tmp/kube-env.yaml"
curl --fail --retry 5 --retry-delay 3 --silent --show-error \ curl --fail --retry 5 --retry-delay 3 --silent --show-error \
-H "X-Google-Metadata-Request: True" \ -H "X-Google-Metadata-Request: True" \
@ -60,10 +61,12 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))) print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
''' < "${tmp_kube_env}" > "${KUBE_HOME}/kube-env") ''' < "${tmp_kube_env}" > "${KUBE_HOME}/kube-env")
rm -f "${tmp_kube_env}" rm -f "${tmp_kube_env}"
)
} }
function download-kube-master-certs { function download-kube-master-certs {
# Fetch kube-env from GCE metadata server. # Fetch kube-env from GCE metadata server.
(umask 700;
local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml" local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml"
curl --fail --retry 5 --retry-delay 3 --silent --show-error \ curl --fail --retry 5 --retry-delay 3 --silent --show-error \
-H "X-Google-Metadata-Request: True" \ -H "X-Google-Metadata-Request: True" \
@ -76,6 +79,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))) print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs") ''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs")
rm -f "${tmp_kube_master_certs}" rm -f "${tmp_kube_master_certs}"
)
} }
function validate-hash { function validate-hash {