Make server.key/client.key as private in k8s node

At this time, server.key and client.key which are used by kubernetes related daemon are readable. These keys should be private. Change-Id: I52232001f6983845f8d7de75486fe5672a57949a Closes-Bug: #1515844
2015-11-13 11:49:41 +09:00 · 2015-11-13 11:49:41 +09:00 · 5b83aa1e12
parent 58cbafdc87
commit 5b83aa1e12
2 changed files with 8 additions and 0 deletions
--- a/magnum/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert-client.sh
@ -61,6 +61,7 @@ EOF

 # Generate client's private key and csr
 openssl genrsa -out "${CLIENT_KEY}" 4096
+chmod 400 "${CLIENT_KEY}"
 openssl req -new -days 1000 \
        -key "${CLIENT_KEY}" \
        -out "${CLIENT_CSR}" \
@ -75,6 +76,9 @@ curl -X POST \
    -d "$csr_req" \
    $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${CLIENT_CERT}

+chmod 500 "${cert_dir}"
+chown -R kube:kube "${cert_dir}"
+
 sed -i '
  s|CA_CERT|'"$CA_CERT"'|
  s|CLIENT_CERT|'"$CLIENT_CERT"'|
--- a/magnum/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert.sh
@ -63,6 +63,7 @@ EOF

 # Generate server's private key and csr
 openssl genrsa -out "${SERVER_KEY}" 4096
+chmod 400 "${SERVER_KEY}"
 openssl req -new -days 1000 \
        -key "${SERVER_KEY}" \
        -out "${SERVER_CSR}" \
@ -76,3 +77,6 @@ curl -X POST \
    -H "Content-Type: application/json" \
    -d "$csr_req" \
    $MAGNUM_URL/certificates | python -c 'import sys, json; print json.load(sys.stdin)["pem"]' > ${SERVER_CERT}
+
+chmod 500 "${cert_dir}"
+chown -R kube:kube "${cert_dir}"