-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create /var/lib/etcd with 0700 #71885
Create /var/lib/etcd with 0700 #71885
Conversation
/sig cluster-lifecycle |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dims
/lgtm
If we let the hostpath with DirectoryOrCreate to create this directory it defaults to 0755. A default install should use 0700 for better security especially if the directory is not present. Change-Id: Idc0266685895767b0d1c5710c8a4fb704805652f
5fb89b0
to
836f413
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thank you @dims !
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @dims
could you please prefix the release note with kubeadm: ...
/hold
/approve
/priority important-longerm
i guess this only fixes the case where the path was not created already by something else as @yagonobre outlined: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@neolit123 done! |
thanks |
/test pull-kubernetes-e2e-kops-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks a lot @dims :)
@timothysc shall we cherrypick this? |
If we let the hostpath with DirectoryOrCreate to create this directory
it defaults to 0755. A default install should use 0700 for better
security especially if the directory is not present.
Change-Id: Idc0266685895767b0d1c5710c8a4fb704805652f
What type of PR is this?
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#1308
Special notes for your reviewer:
Does this PR introduce a user-facing change?: