From c45f7b44eff4b2d408ea003af4fd01cd14d094bc Mon Sep 17 00:00:00 2001 From: Simon Ungar Felding Date: Sun, 13 Oct 2024 18:35:42 +0200 Subject: [PATCH] tighten permissions --- tasks/first_server.yml | 6 +++--- tasks/ingress-nginx.yml | 2 +- tasks/keepalived.yml | 12 ++++++------ tasks/remaining_nodes.yml | 2 +- tasks/standalone.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/first_server.yml b/tasks/first_server.yml index a87557c..bb76a3f 100644 --- a/tasks/first_server.yml +++ b/tasks/first_server.yml @@ -6,7 +6,7 @@ path: /etc/rancher/rke2 owner: root group: root - mode: 0755 + mode: 0750 - name: Set server taints ansible.builtin.set_fact: @@ -50,12 +50,12 @@ state: directory path: "{{ rke2_etcd_snapshot_destination_dir }}" recurse: true - mode: 0755 + mode: 0750 - name: Copy etcd snapshot file ansible.builtin.copy: src: "{{ rke2_etcd_snapshot_source_dir }}/{{ rke2_etcd_snapshot_file }}" dest: "{{ rke2_etcd_snapshot_destination_dir }}/{{ rke2_etcd_snapshot_file }}" - mode: 0644 + mode: 0640 force: true - name: Restore etcd from a snapshot ansible.builtin.shell: | diff --git a/tasks/ingress-nginx.yml b/tasks/ingress-nginx.yml index ed971ea..39a885b 100644 --- a/tasks/ingress-nginx.yml +++ b/tasks/ingress-nginx.yml @@ -13,4 +13,4 @@ dest: "{{ rke2_data_path }}/server/manifests/rke2-ingress-nginx-config.yaml" owner: root group: root - mode: 0664 + mode: 0660 diff --git a/tasks/keepalived.yml b/tasks/keepalived.yml index c2d6603..59c9b14 100644 --- a/tasks/keepalived.yml +++ b/tasks/keepalived.yml @@ -20,7 +20,7 @@ state: directory owner: root group: root - mode: 0755 + mode: 0750 - name: Create Kubernetes API health check script for Debian OS family ansible.builtin.template: @@ -28,7 +28,7 @@ dest: /etc/keepalived/check_apiserver.sh owner: root group: root - mode: 0755 + mode: 0750 when: ansible_facts['os_family'] == "Debian" notify: Restart keepalived @@ -38,7 +38,7 @@ dest: /usr/libexec/keepalived/check_apiserver.sh owner: root group: root - mode: 0755 + mode: 0750 when: ansible_facts['os_family'] == "RedHat" notify: Restart keepalived @@ -48,7 +48,7 @@ dest: /etc/keepalived/check_rke2server.sh owner: root group: root - mode: 0755 + mode: 0750 when: ansible_facts['os_family'] == "Debian" notify: Restart keepalived @@ -58,7 +58,7 @@ dest: /usr/libexec/keepalived/check_rke2server.sh owner: root group: root - mode: 0755 + mode: 0750 when: ansible_facts['os_family'] == "RedHat" notify: Restart keepalived @@ -68,7 +68,7 @@ dest: /etc/keepalived/keepalived.conf owner: root group: root - mode: 0644 + mode: 0640 notify: Restart keepalived - name: Enable keepalived and make sure it is not masked diff --git a/tasks/remaining_nodes.yml b/tasks/remaining_nodes.yml index 310a259..b64fa1a 100644 --- a/tasks/remaining_nodes.yml +++ b/tasks/remaining_nodes.yml @@ -6,7 +6,7 @@ path: /etc/rancher/rke2 owner: root group: root - mode: 0755 + mode: 0750 - name: Set server taints ansible.builtin.set_fact: diff --git a/tasks/standalone.yml b/tasks/standalone.yml index 4b1e85a..fcc7ec8 100644 --- a/tasks/standalone.yml +++ b/tasks/standalone.yml @@ -6,7 +6,7 @@ path: /etc/rancher/rke2 owner: root group: root - mode: 0755 + mode: 0750 - name: Copy RKE2 config ansible.builtin.template: