WARNING: Kubernetes configuration file is world-readable.

[djfinnoy]

TL;DR

Access to the resulting kubeconfig file are so permissive that running helm commands will trigger warnings.

Expected behavior

kubeconfig only readable by one user on the runner.

Observed behavior

kubeconfig file is globally accessible, prompting warnings when using helm

Run helm list --all-namespaces
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/runner/work/kube-no-trouble/kube-no-trouble/98db72ab-7c5f-4c62-b383-ba5bd1888e53
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /home/runner/work/kube-no-trouble/kube-no-trouble/98db72ab-7c5f-4c62-b383-ba5bd1888e53

Reproduction

Action YAML

...

      - name: Set up kubectl
        uses: google-github-actions/get-gke-credentials@main
        with:
          cluster_name: ${{ env.GKE_NAME }}
          project_id: ${{ env.GKE_PROJECT }}
          location: ${{ env.GKE_LOCATION }}
          credentials: ${{ env.GSA_KEY }}
     
      - name: test helm
        run: helm list --all-namespaces

Additional information

kubectl doesn't seem to mind, this is probably just related to Helm.
helm/helm#9115

[bharathkkb]

Thanks for reporting the issue @djfinnoy
Currently we write to a location within GITHUB_WORKSPACE but we can add an optional arg to write to specific place. Happy to review a PR if you get to it first.

[sethvargo]

I just opened #161 to write the file as 640. That will remove the "world-readable" warning, but the file is still "group-readable". I don't think it's safe to write the file as non-group-readable, given out GitHub Actions runners work with respect to Docker-based actions. I believe writing as 600 would prevent Docker-based actions from reading the kubeconfig file, and it would have unknown consequences for people using self-hosted runners (which recommend relying on group permissions).