From 2e35c6b5bb533ab84b6a478b0eb94db63a8de147 Mon Sep 17 00:00:00 2001
From: SataQiu <qiushida@beyondcent.com>
Date: Fri, 9 Aug 2019 17:36:26 +0800
Subject: [PATCH] kubeadm: the permissions of generated CSR files are changed
 from 0644 to 0600

---
 cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
index e1d77e12607..6e49a924eb1 100644
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@@ -153,20 +153,20 @@ func WriteKey(pkiPath, name string, key crypto.Signer) error {
 }
 
 // WriteCSR writes the pem-encoded CSR data to csrPath.
-// The CSR file will be created with file mode 0644.
+// The CSR file will be created with file mode 0600.
 // If the CSR file already exists, it will be overwritten.
-// The parent directory of the csrPath will be created as needed with file mode 0755.
+// The parent directory of the csrPath will be created as needed with file mode 0700.
 func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
 	if csr == nil {
 		return errors.New("certificate request cannot be nil when writing to file")
 	}
 
 	csrPath := pathForCSR(csrDir, name)
-	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0700)); err != nil {
 		return errors.Wrapf(err, "failed to make directory %s", filepath.Dir(csrPath))
 	}
 
-	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0644)); err != nil {
+	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0600)); err != nil {
 		return errors.Wrapf(err, "unable to write CSR to file %s", csrPath)
 	}