Skip to content

Kubernetes configuration file is world-readable

Summary

The Kube config inserted by GitLab Kubernetes integration is world-readable. This causes Helm to log warnings.

Steps to reproduce

  1. Create a GitLab CI job which invokes Helm. I.e.

    image: dtzar/helm-kubectl:3
script: helm --version

  2. Create a GitLab Kubernetes integration

  3. Run this the job with the Kubernetes integration active

Example Project

https://gitlab.com/appsemble/appsemble/-/jobs/1182498020

What is the current bug behavior?

The kube config is world-readable.

What is the expected correct behavior?

The kube config should only be readable by the user used to run the CI job.

Relevant logs and/or screenshots

$ helm repo add bitnami https://charts.bitnami.com/bitnami
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /builds/appsemble/appsemble.tmp/KUBECONFIG
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /builds/appsemble/appsemble.tmp/KUBECONFIG
"bitnami" has been added to your repositories

Output of checks

This bug happens on GitLab.com

Possible fixes

File permissions should be set to 600. I’m guessing they’re currently set to 666 🤘