From d84ff06f73bbd9b07170b760b115b4e4dfbd6805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <andreas@kruger.nu>
Date: Wed, 21 Feb 2018 21:13:46 +0100
Subject: [PATCH] Set filemode to 0640 (#2315)

* Set filemode to 0640

weave-net.yml file is readable by all users on the host. It however contains the weave_password to encrypt all pod communication. It should only be readable by root.

* Set mode 0640 on users_file with basic auth
---
 roles/kubernetes/master/tasks/users-file.yml | 1 +
 roles/network_plugin/weave/tasks/main.yml    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/roles/kubernetes/master/tasks/users-file.yml b/roles/kubernetes/master/tasks/users-file.yml
index ec0264c4d..e8425d1bc 100644
--- a/roles/kubernetes/master/tasks/users-file.yml
+++ b/roles/kubernetes/master/tasks/users-file.yml
@@ -10,5 +10,6 @@
   template:
     src: known_users.csv.j2
     dest: "{{ kube_users_dir }}/known_users.csv"
+    mode: 0640
     backup: yes
   notify: Master | set secret_changed
diff --git a/roles/network_plugin/weave/tasks/main.yml b/roles/network_plugin/weave/tasks/main.yml
index 738dddd15..f3f1da6ac 100644
--- a/roles/network_plugin/weave/tasks/main.yml
+++ b/roles/network_plugin/weave/tasks/main.yml
@@ -17,4 +17,5 @@
   template:
     src: weave-net.yml.j2
     dest: "{{ kube_config_dir }}/weave-net.yml"
+    mode: 0640
   register: weave_manifest