"Kubernetes configuration file is world-readable"

kmenzel · February 12, 2021, 6:51pm

We created Kubernetes deployment targets and run deployments to them via a Linux worker using an SSH connection. Our deployment steps are “Run a kubectl CLI Script”. When we run kubectl commands, we get Warning messages that the “Kubernetes configuration file is world-readable. This is insecure.”

This issue isn’t blocking but it causes a Warning message that makes the deployment look like there are issues. It seems like the step should save the kube config file using the proper file permissions. Could this be fixed or is there something I can do on my end to make these warnings go away?

Let me know what you think, thanks!
Kelly

stuart.mcilveen · February 12, 2021, 2:57pm

Hi @kmenzel

Thanks for getting in touch!

It looks like this is a known issue with helm - there is a GitHub issue here that appears to match what you’re seeing and an upgrade should help.

Please let me know if this works for you!

Regards,

kmenzel · February 12, 2021, 3:52pm

Thanks for finding that. I read through it but I don’t think that is the issue. The problem described in that GitHub issue was that Warnings were being printed to stdout. They fixed it and now warnings are written to stderr. It looks like this can be confirmed from my screenshot; Octopus shows it as an Error message. Like I said, it doesn’t block the build or fail the step, which is good, so it knows it’s still just a warning. But my question is can we change the permissions on the kubectl-octo.yml file so that it is not world or group readable so the warning message goes away? I’m on Helm version 3.5.2.

stuart.mcilveen · February 12, 2021, 4:40pm

Hi @kmenzel

Thanks for getting back to me so quickly. I’d guess that changing the permissions ‘should’ be ok, but I’d like to confirm before giving you a definitive answer. I’d like to attempt to reproduce the issue, but it’d be early next week before I could get back to you with anything.

Would you be able to try changing the permissions to 644 or 600 and let me know the outcome? If so, please let me know if this works for you!

Regards,

kmenzel · February 12, 2021, 4:45pm

Yep that fixes it, I didn’t think to put it in the bash script in the first line. But I added chmod 600 kubectl-octo.yml and the warnings are gone. I would still think it would be best if the Octopus worker did this, I think it would better protect the credentials in the kube config file. Let me know if you guys decide to change this, for the time being, I can use this workaround. Thanks!

stuart.mcilveen · February 12, 2021, 4:49pm

Hi @kmenzel

Great to hear that fixed it! Thank you for trying it out. This is already being discussed internally, I’ll let you know of any updates.

Regards,