Skip to content

Commit

Permalink
Fix risky-file-permissions (kubernetes-sigs#8370)
Browse files Browse the repository at this point in the history 
When running ansible-lint directly, we can see a lot of warning
message like

  risky-file-permissions File permissions unset or incorrect

This fixes the warning messages.
  • Loading branch information
@oomichi
oomichi authored Jan 9, 2022
1 parent 51bd9be commit f80fd24
Show file tree
Hide file tree
Showing 48 changed files with 76 additions and 1 deletion.
1 change: 1 addition & 0 deletions contrib/network-storage/glusterfs/roles/kubernetes-pv/ansible/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}"
dest: "{{ kube_config_dir }}/{{ item.dest }}"
mode: 0644
with_items:
- { file: glusterfs-kubernetes-endpoint.json.j2, type: ep, dest: glusterfs-kubernetes-endpoint.json}
- { file: glusterfs-kubernetes-pv.yml.j2, type: pv, dest: glusterfs-kubernetes-pv.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/container-engine/docker-storage/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
template:
src: docker-storage-setup.j2
dest: /etc/sysconfig/docker-storage-setup
mode: 0644

- name: docker-storage-override-directory | docker service storage-setup override dir
file:
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/ansible/tasks/coredns.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
loop:
- { name: coredns, file: coredns-clusterrole.yml, type: clusterrole }
- { name: coredns, file: coredns-clusterrolebinding.yml, type: clusterrolebinding }
Expand All @@ -27,6 +28,7 @@
template:
src: "{{ item.src }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- { name: coredns, src: coredns-deployment.yml, file: coredns-deployment-secondary.yml, type: deployment }
- { name: coredns, src: coredns-svc.yml, file: coredns-svc-secondary.yml, type: svc }
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ansible/tasks/dashboard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- { file: dashboard.yml, type: deploy, name: kubernetes-dashboard }
register: manifests
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ansible/tasks/etcd_metrics.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- { file: etcd_metrics-endpoints.yml, type: endpoints, name: etcd-metrics }
- { file: etcd_metrics-service.yml, type: service, name: etcd-metrics }
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ansible/tasks/netchecker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items: "{{ netchecker_templates }}"
register: manifests
when:
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/ansible/tasks/nodelocaldns.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- { name: nodelocaldns, file: nodelocaldns-config.yml, type: configmap }
- { name: nodelocaldns, file: nodelocaldns-sa.yml, type: sa }
Expand Down Expand Up @@ -48,6 +49,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- { name: nodelocaldns, file: nodelocaldns-second-daemonset.yml, type: daemonset }
register: nodelocaldns_second_manifests
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/argocd/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
get_url:
url: "{{ item.url }}"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items: "{{ argocd_templates | selectattr('url', 'defined') | list }}"
loop_control:
label: "{{ item.file }}"
Expand All @@ -44,6 +45,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items: "{{ argocd_templates | selectattr('url', 'undefined') | list }}"
loop_control:
label: "{{ item.file }}"
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/cloud_controller/oci/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
template:
src: controller-manager-config.yml.j2
dest: "{{ kube_config_dir }}/controller-manager-config.yml"
mode: 0644
when: inventory_hostname == groups['kube_control_plane'][0]
tags: oci

Expand All @@ -25,6 +26,7 @@
template:
src: oci-cloud-provider.yml.j2
dest: "{{ kube_config_dir }}/oci-cloud-provider.yml"
mode: 0644
when: inventory_hostname == groups['kube_control_plane'][0]
tags: oci

Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/container_engine_accelerator/nvidia_gpu/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/container_engine_accelerator/{{ item.file }}"
mode: 0644
with_items:
- { name: nvidia-driver-install-daemonset, file: nvidia-driver-install-daemonset.yml, type: daemonset }
- { name: k8s-device-plugin-nvidia-daemonset, file: k8s-device-plugin-nvidia-daemonset.yml, type: daemonset }
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/container_runtimes/gvisor/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir}}/addons/gvisor/{{ item.file }}"
mode: 0644
with_items: "{{ gvisor_templates }}"
register: gvisor_manifests
when:
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/container_runtimes/kata_containers/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/kata_containers/{{ item.file }}"
mode: 0644
with_items: "{{ kata_containers_templates }}"
register: kata_containers_manifests
when:
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/aws_ebs/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: aws-ebs-csi-driver, file: aws-ebs-csi-driver.yml}
- {name: aws-ebs-csi-controllerservice, file: aws-ebs-csi-controllerservice-rbac.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/azuredisk/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: azure-csi-azuredisk-driver, file: azure-csi-azuredisk-driver.yml}
- {name: azure-csi-cloud-config-secret, file: azure-csi-cloud-config-secret.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: cinder-csi-driver, file: cinder-csi-driver.yml}
- {name: cinder-csi-cloud-config-secret, file: cinder-csi-cloud-config-secret.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/csi_crd/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: volumesnapshotclasses, file: volumesnapshotclasses.yml}
- {name: volumesnapshotcontents, file: volumesnapshotcontents.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/gcp_pd/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: gcp-pd-csi-cred-secret, file: gcp-pd-csi-cred-secret.yml}
- {name: gcp-pd-csi-setup, file: gcp-pd-csi-setup.yml}
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/csi_driver/vsphere/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
template:
src: "{{ item }}.j2"
dest: "{{ kube_config_dir }}/{{ item }}"
mode: 0644
with_items:
- vsphere-csi-driver.yml
- vsphere-csi-controller-rbac.yml
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/external_cloud_controller/vsphere/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
template:
src: "{{ item }}.j2"
dest: "{{ kube_config_dir }}/{{ item }}"
mode: 0644
with_items:
- external-vsphere-cpi-cloud-config-secret.yml
- external-vsphere-cloud-controller-manager-roles.yml
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/external_provisioner/cephfs_provisioner/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/cephfs_provisioner/{{ item.file }}"
mode: 0644
with_items: "{{ cephfs_provisioner_templates }}"
register: cephfs_provisioner_manifests
when: inventory_hostname == groups['kube_control_plane'][0]
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/external_provisioner/local_path_provisioner/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
file:
path: "{{ local_path_provisioner_claim_root }}"
state: directory
mode: 0755

- name: Local Path Provisioner | Render Template
set_fact:
Expand Down Expand Up @@ -40,6 +41,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/local_path_provisioner/{{ item.file }}"
mode: 0644
with_items: "{{ local_path_provisioner_templates }}"
register: local_path_provisioner_manifests
when: inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/local_volume_provisioner/{{ item.file }}"
mode: 0644
with_items: "{{ local_volume_provisioner_templates }}"
register: local_volume_provisioner_manifests
when: inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/helm/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,5 @@
copy:
dest: /etc/bash_completion.d/helm.sh
content: "{{ helm_completion.stdout }}"
mode: 0755
become: True
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.file }}"
mode: 0644
with_items:
- { name: alb-ingress-clusterrole, file: alb-ingress-clusterrole.yml, type: clusterrole }
- { name: alb-ingress-clusterrolebinding, file: alb-ingress-clusterrolebinding.yml, type: clusterrolebinding }
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
mode: 0644
with_items: "{{ cert_manager_templates }}"
register: cert_manager_manifests
when:
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/ingress_controller/ingress_nginx/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/ingress_nginx/{{ item.file }}"
mode: 0644
with_items: "{{ ingress_nginx_templates }}"
register: ingress_nginx_manifests
when:
Expand Down
3 changes: 3 additions & 0 deletions roles/kubernetes-apps/krew/tasks/krew.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@
template:
src: krew.j2
dest: /etc/bash_completion.d/krew
mode: 0644

- name: Krew | Copy krew manifest
template:
src: krew.yml.j2
dest: "{{ local_release_dir }}/krew.yml"
mode: 0644

- name: Krew | Install krew # noqa 301 305
shell: "{{ local_release_dir }}/krew-{{ host_os }}_{{ image_arch }} install --archive={{ local_release_dir }}/krew-{{ host_os }}_{{ image_arch }}.tar.gz --manifest={{ local_release_dir }}/krew.yml"
Expand All @@ -31,5 +33,6 @@
copy:
dest: /etc/bash_completion.d/krew.sh
content: "{{ krew_completion.stdout }}"
mode: 0755
become: True
when: krew_completion.rc == 0
5 changes: 4 additions & 1 deletion roles/kubernetes-apps/metallb/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,10 @@

- name: Kubernetes Apps | Lay Down MetalLB
become: true
template: { src: "{{ item }}.j2", dest: "{{ kube_config_dir }}/{{ item }}" }
template:
src: "{{ item }}.j2"
dest: "{{ kube_config_dir }}/{{ item }}"
mode: 0644
with_items: ["metallb.yml", "metallb-config.yml"]
register: "rendering"
when:
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/metrics_server/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/metrics_server/{{ item.file }}"
mode: 0644
with_items: "{{ metrics_server_templates }}"
register: metrics_server_manifests
when:
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/persistent_volumes/aws-ebs-csi/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "aws-ebs-csi-storage-class.yml.j2"
dest: "{{ kube_config_dir }}/aws-ebs-csi-storage-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/persistent_volumes/azuredisk-csi/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "azure-csi-storage-class.yml.j2"
dest: "{{ kube_config_dir }}/azure-csi-storage-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/persistent_volumes/cinder-csi/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "cinder-csi-storage-class.yml.j2"
dest: "{{ kube_config_dir }}/cinder-csi-storage-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/persistent_volumes/gcp-pd-csi/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "gcp-pd-csi-storage-class.yml.j2"
dest: "{{ kube_config_dir }}/gcp-pd-csi-storage-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/persistent_volumes/openstack/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "openstack-storage-class.yml.j2"
dest: "{{ kube_config_dir }}/openstack-storage-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: calico-kube-controllers, file: calico-kube-controllers.yml, type: deployment}
- {name: calico-kube-controllers, file: calico-kube-sa.yml, type: sa}
Expand Down
2 changes: 2 additions & 0 deletions roles/kubernetes-apps/registry/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
mode: 0644
with_items: "{{ registry_templates }}"
register: registry_manifests
when: inventory_hostname == groups['kube_control_plane'][0]
Expand All @@ -84,6 +85,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/registry/{{ item.file }}"
mode: 0644
with_items:
- { name: registry-pvc, file: registry-pvc.yml, type: pvc }
register: registry_manifests
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/snapshots/cinder-csi/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "cinder-csi-snapshot-class.yml.j2"
dest: "{{ kube_config_dir }}/cinder-csi-snapshot-class.yml"
mode: 0644
register: manifests
when:
- inventory_hostname == groups['kube_control_plane'][0]
Expand Down
1 change: 1 addition & 0 deletions roles/kubernetes-apps/snapshots/snapshot-controller/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: rbac-snapshot-controller, file: rbac-snapshot-controller.yml}
- {name: snapshot-controller, file: snapshot-controller.yml}
Expand Down
4 changes: 4 additions & 0 deletions roles/network_plugin/calico/tasks/install.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
template:
src: "cni-calico.conflist.j2"
dest: "/etc/cni/net.d/calico.conflist.template"
mode: 0644
owner: root
register: calico_conflist
notify: reset_calico_cni
Expand Down Expand Up @@ -126,6 +127,7 @@
assemble:
src: "{{ local_release_dir }}/calico-{{ calico_version }}-kdd-crds"
dest: "{{ kube_config_dir }}/kdd-crds.yml"
mode: 0644
delimiter: "---\n"
regexp: ".*\\.yaml"
remote_src: true
Expand Down Expand Up @@ -330,6 +332,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: calico-config, file: calico-config.yml, type: cm}
- {name: calico-node, file: calico-node.yml, type: ds}
Expand All @@ -346,6 +349,7 @@
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/{{ item.file }}"
mode: 0644
with_items:
- {name: calico, file: calico-typha.yml, type: typha}
register: calico_node_typha_manifest
Expand Down
Loading

0 comments on commit f80fd24

Please sign in to comment.