gce: tighten up perms on kube-env

cluster/gce/configure-vm.sh

@@ -149,6 +149,7 @@ function curl-metadata() {
 }
 
 function set-kube-env() {
+  (umask 700;
   local kube_env_yaml="${INSTALL_DIR}/kube_env.yaml"
 
   until curl-metadata kube-env > "${kube_env_yaml}"; do
@@ -164,6 +165,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
   print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v))))
   print("""export {var}""".format(var = k))
   ' < """${kube_env_yaml}""")"
+  )
 }
 
 function remove-docker-artifacts() {

cluster/gce/gci/configure.sh

@@ -48,6 +48,7 @@ EOF
 
 function download-kube-env {
   # Fetch kube-env from GCE metadata server.
+  (umask 700;
   local -r tmp_kube_env="/tmp/kube-env.yaml"
   curl --fail --retry 5 --retry-delay 3 --silent --show-error \
     -H "X-Google-Metadata-Request: True" \
@@ -60,10 +61,12 @@ for k,v in yaml.load(sys.stdin).iteritems():
   print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
 ''' < "${tmp_kube_env}" > "${KUBE_HOME}/kube-env")
   rm -f "${tmp_kube_env}"
+  )
 }
 
 function download-kube-master-certs {
   # Fetch kube-env from GCE metadata server.
+  (umask 700;
   local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml"
   curl --fail --retry 5 --retry-delay 3 --silent --show-error \
     -H "X-Google-Metadata-Request: True" \
@@ -76,6 +79,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
   print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
 ''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs")
   rm -f "${tmp_kube_master_certs}"
+  )
 }
 
 function validate-hash {