Set permissions to 600 for certificates

In this commit, added the code to set permissions to 600 for all .crt files in /etc/kubernetes/pki directory. This commit will be in effect during deployment of peer nodes using pxe server. TEST CASES: PASSED: Run full build, system install, bootstrap and unlock (SX) PASSED: System install, bootstrap, unlock and swact (DX) PASSED: Checked permission using below command "ls -al /etc/kubernetes/pki/*.crt" PASSED: Checked whether certificates are accessible and readable Example: openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text PASSED: Checked status of kubernetes cluster and pods. PASSED: No alarms when ran "fm alarm-list" Story: 2011334 Task: 51677 Depends-On: https://review.opendev.org/c/starlingx/ansible-playbooks/+/940238 Change-Id: I9f05b0e9e35910d5a1a113d2be02635d48bc1063 Signed-off-by: sshaikh1 <sirin.shaikh@windriver.com>
2025-02-18 04:02:13 -05:00 · 2025-02-18 04:02:13 -05:00 · dd1bdcfa09
commit dd1bdcfa09
parent 5ef826ddcf
1 changed files with 10 additions and 0 deletions
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -413,6 +413,14 @@ class platform::kubernetes::kubeadm {
  }
 }

+class platform::kubernetes::set_crt_permissions {
+  exec { 'set_permissions_on_crt_files':
+    command => 'find /etc/kubernetes/pki -type f -name "*.crt" -exec chmod 600 {} +',
+    onlyif  => 'find /etc/kubernetes/pki -type f -name "*.crt" ! -perm 600 | grep .',
+    path    => ['/bin', '/usr/bin'],
+  }
+}
+
 class platform::kubernetes::master::init
  inherits ::platform::kubernetes::params {

@ -605,6 +613,8 @@ class platform::kubernetes::master::init
    hour        => '*/24',
    user        => 'root',
  }
+
+  -> class { 'platform::kubernetes::set_crt_permissions': }
 }

 class platform::kubernetes::master