From dff449ee9e2c88fb362f2629d66df74c2f65264a Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Tue, 5 May 2020 16:28:43 -0700
Subject: [PATCH] Set umask 0022 when building

Some binaries now run as non-root (kube-scheduler).  When umask is 0027,
for example, the container image we build has the binary 0750, which is
not executable by the non-root UID.
---
 hack/lib/golang.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index f1c0a3e10ef..b1e42acee5a 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -523,6 +523,10 @@ kube::golang::setup_env() {
 
   # This seems to matter to some tools
   export GO15VENDOREXPERIMENT=1
+
+  # This is for sanity.  Without it, user umasks leak through into release
+  # artifacts.
+  umask 0022
 }
 
 # This will take binaries from $GOPATH/bin and copy them to the appropriate