From ee83e874a8a011bb48a3bb4e70ebefa544adf881 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Thu, 12 Oct 2017 09:55:46 +0100
Subject: [PATCH] Clear admin kubeconfig when rotating certs (#1772)

* Clear admin kubeconfig when rotating certs

* Update main.yml
---
 roles/kubernetes/client/tasks/main.yml     |  4 +++-
 roles/kubernetes/master/handlers/main.yml  | 11 +++++++++++
 roles/kubernetes/secrets/handlers/main.yml | 11 +++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/roles/kubernetes/client/tasks/main.yml b/roles/kubernetes/client/tasks/main.yml
index 84f806107..d0edfaff0 100644
--- a/roles/kubernetes/client/tasks/main.yml
+++ b/roles/kubernetes/client/tasks/main.yml
@@ -28,6 +28,9 @@
   template:
     src: admin.conf.j2
     dest: "{{ kube_config_dir }}/admin.conf"
+    owner: root
+    group: "{{ kube_cert_group }}"
+    mode: 0640
   when: not kubeadm_enabled|d(false)|bool
 
 - name: Create kube config dir
@@ -50,7 +53,6 @@
     dest: "{{ artifacts_dir }}/admin.conf"
     flat: yes
     validate_checksum: no
-  become: no
   run_once: yes
   when: kubeconfig_localhost|default(false)
 
diff --git a/roles/kubernetes/master/handlers/main.yml b/roles/kubernetes/master/handlers/main.yml
index a27a5772e..1c6dc956c 100644
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -46,5 +46,16 @@
   delay: 6
 
 - name: Master | set secret_changed
+  command: /bin/true
+  notify:
+    - Master | set secret_changed to true
+    - Master | clear kubeconfig for root user
+
+- name: Master | set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: Master | clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent
diff --git a/roles/kubernetes/secrets/handlers/main.yml b/roles/kubernetes/secrets/handlers/main.yml
index d5fab8e14..f6f12a003 100644
--- a/roles/kubernetes/secrets/handlers/main.yml
+++ b/roles/kubernetes/secrets/handlers/main.yml
@@ -1,4 +1,15 @@
 ---
 - name: set secret_changed
+  command: /bin/true
+  notify:
+    - set secret_changed to true
+    - clear kubeconfig for root user
+
+- name: set secret_changed to true
   set_fact:
     secret_changed: true
+
+- name: clear kubeconfig for root user
+  file:
+    path: /root/.kube/config
+    state: absent