Merge pull request #81217 from SataQiu/fix-kubeadm-20190809

kubeadm: change the permissions of generated CSR files from 0644 to 0600
2025-07-29 14:37:00 +00:00 · 2019-08-12 08:21:13 -07:00 · 2019-08-12 08:21:13 -07:00 · ca6290538b
commit ca6290538b
parent ae457448d6 2e35c6b5bb
1 changed files with 4 additions and 4 deletions
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@ -153,20 +153,20 @@ func WriteKey(pkiPath, name string, key crypto.Signer) error {
 }
 // WriteCSR writes the pem-encoded CSR data to csrPath.
-// The CSR file will be created with file mode 0644.
+// The CSR file will be created with file mode 0600.
 // If the CSR file already exists, it will be overwritten.
-// The parent directory of the csrPath will be created as needed with file mode 0755.
+// The parent directory of the csrPath will be created as needed with file mode 0700.
 func WriteCSR(csrDir, name string, csr *x509.CertificateRequest) error {
 	if csr == nil {
 		return errors.New("certificate request cannot be nil when writing to file")
 	}
 	csrPath := pathForCSR(csrDir, name)
-	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0755)); err != nil {
+	if err := os.MkdirAll(filepath.Dir(csrPath), os.FileMode(0700)); err != nil {
 		return errors.Wrapf(err, "failed to make directory %s", filepath.Dir(csrPath))
 	}
-	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0644)); err != nil {
+	if err := ioutil.WriteFile(csrPath, EncodeCSRPEM(csr), os.FileMode(0600)); err != nil {
 		return errors.Wrapf(err, "unable to write CSR to file %s", csrPath)
 	}