github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gce: tighten up perms on kube-env

Browse Source
This commit is contained in:
Mike Danese
2017-12-11 11:45:56 -08:00
parent bb72237375
commit ba2bf598fb
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/gce/configure-vm.sh
View File

@@ -149,6 +149,7 @@ function curl-metadata() {
} }
function set-kube-env() { function set-kube-env() {
(umask 700;
local kube_env_yaml="${INSTALL_DIR}/kube_env.yaml" local kube_env_yaml="${INSTALL_DIR}/kube_env.yaml"
until curl-metadata kube-env > "${kube_env_yaml}"; do until curl-metadata kube-env > "${kube_env_yaml}"; do
@@ -164,6 +165,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v)))) print("""readonly {var}={value}""".format(var = k, value = pipes.quote(str(v))))
print("""export {var}""".format(var = k)) print("""export {var}""".format(var = k))
' < """${kube_env_yaml}""")" ' < """${kube_env_yaml}""")"
)
} }
function remove-docker-artifacts() { function remove-docker-artifacts() {

4
cluster/gce/gci/configure.sh
View File

@@ -48,6 +48,7 @@ EOF
function download-kube-env { function download-kube-env {
# Fetch kube-env from GCE metadata server. # Fetch kube-env from GCE metadata server.
(umask 700;
local -r tmp_kube_env="/tmp/kube-env.yaml" local -r tmp_kube_env="/tmp/kube-env.yaml"
curl --fail --retry 5 --retry-delay 3 --silent --show-error \ curl --fail --retry 5 --retry-delay 3 --silent --show-error \
-H "X-Google-Metadata-Request: True" \ -H "X-Google-Metadata-Request: True" \
@@ -60,10 +61,12 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))) print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
''' < "${tmp_kube_env}" > "${KUBE_HOME}/kube-env") ''' < "${tmp_kube_env}" > "${KUBE_HOME}/kube-env")
rm -f "${tmp_kube_env}" rm -f "${tmp_kube_env}"
)
} }
function download-kube-master-certs { function download-kube-master-certs {
# Fetch kube-env from GCE metadata server. # Fetch kube-env from GCE metadata server.
(umask 700;
local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml" local -r tmp_kube_master_certs="/tmp/kube-master-certs.yaml"
curl --fail --retry 5 --retry-delay 3 --silent --show-error \ curl --fail --retry 5 --retry-delay 3 --silent --show-error \
-H "X-Google-Metadata-Request: True" \ -H "X-Google-Metadata-Request: True" \
@@ -76,6 +79,7 @@ for k,v in yaml.load(sys.stdin).iteritems():
print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v)))) print("readonly {var}={value}".format(var = k, value = pipes.quote(str(v))))
''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs") ''' < "${tmp_kube_master_certs}" > "${KUBE_HOME}/kube-master-certs")
rm -f "${tmp_kube_master_certs}" rm -f "${tmp_kube_master_certs}"
)
} }
function validate-hash { function validate-hash {