nodeadm.yaml contains configuration that's used to derive the contents of files that are written with 0600, so make sure nodeadm.yaml is at least as protected as these files.
# ls -alR /etc/kubernetes
/etc/kubernetes:
total 80
drwxr-xr-x. 4 root root 4096 Jun 29 00:20 .
drwxr-xr-x. 46 root root 4096 Jun 29 00:19 ..
-rw-------. 1 root root 5447 Jun 29 00:20 admin.conf
-rw-------. 1 root root 5483 Jun 29 00:20 controller-manager.conf
-rw-------. 1 root root 5599 Jun 29 00:20 kubelet.conf
drwx------. 2 root root 4096 Jun 29 00:20 manifests
drwxr-xr-x. 2 root root 4096 Jun 29 00:20 pki
-rw-------. 1 root root 5431 Jun 29 00:20 scheduler.conf
/etc/kubernetes/manifests:
total 40
drwx------. 2 root root 4096 Jun 29 00:20 .
drwxr-xr-x. 4 root root 4096 Jun 29 00:20 ..
-rw-------. 1 root root 2756 Jun 29 00:20 kube-apiserver.yaml
-rw-------. 1 root root 1837 Jun 29 00:20 kube-controller-manager.yaml
-rw-------. 1 root root 992 Jun 29 00:20 kube-scheduler.yaml
/etc/kubernetes/pki:
total 112
drwxr-xr-x. 2 root root 4096 Jun 29 00:20 .
drwxr-xr-x. 4 root root 4096 Jun 29 00:20 ..
-rw-r--r--. 1 root root 1099 Jun 29 00:20 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 Jun 29 00:20 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1257 Jun 29 00:20 apiserver.crt
-rw-------. 1 root root 1679 Jun 29 00:20 apiserver.key
-rw-r--r--. 1 root root 1025 Jun 29 00:20 ca.crt
-rw-------. 1 root root 1675 Jun 29 00:20 ca.key
-rw-r--r--. 1 root root 1025 Jun 29 00:20 front-proxy-ca.crt
-rw-------. 1 root root 1675 Jun 29 00:20 front-proxy-ca.key
-rw-r--r--. 1 root root 1050 Jun 29 00:20 front-proxy-client.crt
-rw-------. 1 root root 1675 Jun 29 00:20 front-proxy-client.key
-rw-------. 1 root root 1675 Jun 29 00:20 sa.key
-rw-------. 1 root root 451 Jun 29 00:20 sa.pub
dlipovetsky
commented
6 years ago
nodeadm.yamlcontains configuration that's used to derive the contents of files that are written with 0600, so make surenodeadm.yamlis at least as protected as these files.