Merge pull request #5905 from micahhausler/eks-kubeconfig-mode

[customizations/eks]: Make kubeconfig not world readable
aws · Feb 3, 2021 · ba30852 · ba30852
2 parents c47d1dd + 78c6c1b
commit ba30852
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/awscli/customizations/eks/kubeconfig.py b/awscli/customizations/eks/kubeconfig.py
@@ -190,9 +190,14 @@ def write_kubeconfig(self, config):
                 raise KubeconfigInaccessableError(
                         "Can't create directory for writing: {0}".format(e))
         try:
-            with open(config.path, "w+") as stream:
+            with os.fdopen(
+                    os.open(
+                        config.path,
+                        os.O_CREAT | os.O_RDWR,
+                        0o600),
+                    "w+") as stream:
                 ordered_yaml_dump(config.content, stream)
-        except IOError as e:
+        except (IOError, OSError) as e:
             raise KubeconfigInaccessableError(
                 "Can't open kubeconfig for writing: {0}".format(e))
 

diff --git a/tests/unit/customizations/eks/test_kubeconfig.py b/tests/unit/customizations/eks/test_kubeconfig.py
@@ -66,6 +66,17 @@ def test_has_cluster_with_no_clusters(self):
         config = Kubeconfig(self._path, self._content)
         self.assertFalse(config.has_cluster("clustername"))
 
+class TestKubeconfigWriter(unittest.TestCase):
+
+    def test_not_world_readable(self):
+        tmpdir = tempfile.mkdtemp()
+        self.addCleanup(shutil.rmtree, tmpdir)
+        config_path = os.path.join(tmpdir, "config")
+        config = Kubeconfig(config_path, None)
+        KubeconfigWriter().write_kubeconfig(config)
+        stat = os.stat(config_path)
+        self.assertEqual(stat.st_mode & 0o777, 0o600)
+
 class TestKubeconfigValidator(unittest.TestCase):
     def setUp(self):
         self._validator = KubeconfigValidator()