fix: KubectlHandler - insecure kubeconfig warning (aws#16063)

mrsiejas · smguggen · commit 31ffe1f60761 · 2021-08-23T21:15:02.000-05:00
KubectlHandler started to return insecure kubeconfig file warning starting Kubernetes 1.20 ``` 2:08:24 PM | CREATE_FAILED | Custom::AWSCDK-EKS-HelmChart | NginxIngressController/Resource/Default Received response status [FAILED] from custom resource. Message returned: Error: b'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /tmp/kubeconfig\nWARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /tmp/kubeconfig\nError: UPGRADE FAILED: an other operation (install/upgrade/rollback) is in progress\n' ``` Fix changes permissions of the file to read and write for the User and removes permissions for Group and Others. Fixes aws#14560 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/apply/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def apply_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -35,6 +36,9 @@ def apply_handler(event, context):
     logger.info(f'Running command: {cmd}')
     subprocess.check_call(cmd)
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     # write resource manifests in sequence: { r1 }{ r2 }{ r3 } (this is how
     # a stream of JSON objects can be included in a k8s manifest).
     manifest_list = json.loads(manifest_text)
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/get/__init__.py
@@ -13,6 +13,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def get_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -30,6 +31,9 @@ def get_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     object_type         = props['ObjectType']
     object_name         = props['ObjectName']
     object_namespace    = props['ObjectNamespace']
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def helm_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -38,6 +39,9 @@ def helm_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     # Write out the values to a file and include them with the install and upgrade
     values_file = None
     if not request_type == "Delete" and not values_text is None:
diff --git a/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py b/packages/@aws-cdk/aws-eks/lib/kubectl-handler/patch/__init__.py
@@ -12,6 +12,7 @@
 outdir = os.environ.get('TEST_OUTDIR', '/tmp')
 kubeconfig = os.path.join(outdir, 'kubeconfig')
 
+
 def patch_handler(event, context):
     logger.info(json.dumps(event))
 
@@ -29,6 +30,9 @@ def patch_handler(event, context):
         '--kubeconfig', kubeconfig
     ])
 
+    if os.path.isfile(kubeconfig):
+        os.chmod(kubeconfig, 0o600)
+
     resource_name = props['ResourceName']
     resource_namespace = props['ResourceNamespace']
     apply_patch_json = props['ApplyPatchJson']
