mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
remove the path if it exists before writing pki data.
if setfacl is called before chmod g+r at anypoint during the lifetime of the cluster then the default group does not have read permissions on the file. so we explicitly grant the default group read permissions. See https://gist.github.com/mmdriley/85ca34f711acbec4b1b94902add488e5 for a repro.
This commit is contained in:
parent
ab7d8b5b5b
commit
774d228637
@ -626,6 +626,8 @@ function append_or_replace_prefixed_line {
|
||||
function write-pki-data {
|
||||
local data="${1}"
|
||||
local path="${2}"
|
||||
# remove the path if it exists
|
||||
rm -f "${path}"
|
||||
if [[ -n "${KUBE_PKI_READERS_GROUP:-}" ]]; then
|
||||
(umask 027; echo "${data}" | base64 --decode > "${path}")
|
||||
chgrp "${KUBE_PKI_READERS_GROUP:-}" "${path}"
|
||||
|
Loading…
Reference in New Issue
Block a user