From f11360be2383a371ed892d061c029e734351e0f8 Mon Sep 17 00:00:00 2001
From: Blazej Siejek <blazej.siejek@huuugegames.com>
Date: Mon, 16 Aug 2021 08:01:10 +0200
Subject: [PATCH 1/2] KubectlHandler - fix insecure kubectl warning

---
 .../@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py     | 1 +
 packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py      | 1 +
 packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py    | 1 +
 .../@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py    | 4 ++++
 packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py | 4 ++++
 .../@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py     | 4 ++++
 .../@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py    | 4 ++++
 7 files changed, 19 insertions(+)

diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
index 07cad9a8db1ba..b7330ab1ed5ed 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
@@ -20,6 +20,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def handler(event, context):
 
     def cfn_error(message=None):
diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
index 0b311f61e0fcd..0ad0b8d3b7233 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
@@ -18,6 +18,7 @@
 CFN_SUCCESS = "SUCCESS"
 CFN_FAILED = "FAILED"
 
+
 def handler(event, context):
 
     def cfn_error(message=None):
diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
index 3f16e9cb5a305..71ddadd41cff3 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
@@ -18,6 +18,7 @@
 CFN_SUCCESS = "SUCCESS"
 CFN_FAILED = "FAILED"
 
+
 def handler(event, context):
 
     def cfn_error(message=None):
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py
index 80e9a7891481e..10ddb997d1fab 100644
--- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py
+++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def apply_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -35,6 +36,9 @@ def apply_handler(event, context):
     logger.info(f'Running command: {cmd}')
     subprocess.check_call(cmd)
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     # write resource manifests in sequence: { r1 }{ r2 }{ r3 } (this is how
     # a stream of JSON objects can be included in a k8s manifest).
     manifest_list = json.loads(manifest_text)
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py
index 6058c8371e5bd..4fb3b162765ca 100644
--- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py
+++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py
@@ -13,6 +13,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def get_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -30,6 +31,9 @@ def get_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     object_type         = props['ObjectType']
     object_name         = props['ObjectName']
     object_namespace    = props['ObjectNamespace']
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
index 67171b11aeede..17208a075d01f 100644
--- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
+++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def helm_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -38,6 +39,9 @@ def helm_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     # Write out the values to a file and include them with the install and upgrade
     values_file = None
     if not request_type == "Delete" and not values_text is None:
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py
index 6597341a4806d..a18455663b7f3 100644
--- a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py
+++ b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def patch_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -29,6 +30,9 @@ def patch_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     resource_name = props['ResourceName']
     resource_namespace = props['ResourceNamespace']
     apply_patch_json = props['ApplyPatchJson']

From f02ded461b31d481350d9b0bd0b38aafb7e8a51d Mon Sep 17 00:00:00 2001
From: Blazej Siejek <blazej.siejek@huuugegames.com>
Date: Fri, 20 Aug 2021 12:52:26 +0200
Subject: [PATCH 2/2] Reverting blankline changes from legacy handler

---
 packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py | 1 -
 packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py       | 1 -
 packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py     | 1 -
 3 files changed, 3 deletions(-)

diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
index b7330ab1ed5ed..07cad9a8db1ba 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/cluster-resource/index.py
@@ -20,7 +20,6 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
-
 def handler(event, context):
 
     def cfn_error(message=None):
diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
index 0ad0b8d3b7233..0b311f61e0fcd 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/helm-chart/index.py
@@ -18,7 +18,6 @@
 CFN_SUCCESS = "SUCCESS"
 CFN_FAILED = "FAILED"
 
-
 def handler(event, context):
 
     def cfn_error(message=None):
diff --git a/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py b/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
index 71ddadd41cff3..3f16e9cb5a305 100644
--- a/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
+++ b/packages/@aws-cdk/aws-eks-legacy/lib/k8s-resource/index.py
@@ -18,7 +18,6 @@
 CFN_SUCCESS = "SUCCESS"
 CFN_FAILED = "FAILED"
 
-
 def handler(event, context):
 
     def cfn_error(message=None):