From 29a8bc449215d9a17e77de003a2218a2ce589c2f Mon Sep 17 00:00:00 2001
From: Scott Seago <sseago@redhat.com>
Date: Thu, 17 Jul 2025 22:45:38 -0400
Subject: [PATCH] Mounted cloud credentials should not be world-readable
 (#8919)

Signed-off-by: Scott Seago <sseago@redhat.com>
---
 changelogs/unreleased/8919-sseago  | 1 +
 internal/credentials/file_store.go | 3 ++-
 pkg/install/daemonset.go           | 5 ++++-
 pkg/install/deployment.go          | 5 ++++-
 4 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/8919-sseago

diff --git a/changelogs/unreleased/8919-sseago b/changelogs/unreleased/8919-sseago
new file mode 100644
index 000000000..143c86850
--- /dev/null
+++ b/changelogs/unreleased/8919-sseago
@@ -0,0 +1 @@
+Mounted cloud credentials should not be world-readable
diff --git a/internal/credentials/file_store.go b/internal/credentials/file_store.go
index 4b5d25664..d1f1fb10a 100644
--- a/internal/credentials/file_store.go
+++ b/internal/credentials/file_store.go
@@ -71,7 +71,8 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
 
 	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
 
-	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	// owner RW perms, group R perms, no public perms
+	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0640)
 	if err != nil {
 		return "", errors.Wrap(err, "unable to open credentials file for writing")
 	}
diff --git a/pkg/install/daemonset.go b/pkg/install/daemonset.go
index 0a8e7570a..ef2356a44 100644
--- a/pkg/install/daemonset.go
+++ b/pkg/install/daemonset.go
@@ -23,6 +23,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/vmware-tanzu/velero/internal/velero"
 	"github.com/vmware-tanzu/velero/pkg/nodeagent"
@@ -188,7 +189,9 @@ func DaemonSet(namespace string, opts ...podTemplateOption) *appsv1api.DaemonSet
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner, Group, Public
+						DefaultMode: ptr.To(int32(0444)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},
diff --git a/pkg/install/deployment.go b/pkg/install/deployment.go
index 36ac8fdf6..4d2e1fc9c 100644
--- a/pkg/install/deployment.go
+++ b/pkg/install/deployment.go
@@ -24,6 +24,7 @@ import (
 	appsv1api "k8s.io/api/apps/v1"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/vmware-tanzu/velero/internal/velero"
 	"github.com/vmware-tanzu/velero/pkg/builder"
@@ -411,7 +412,9 @@ func Deployment(namespace string, opts ...podTemplateOption) *appsv1api.Deployme
 				Name: "cloud-credentials",
 				VolumeSource: corev1api.VolumeSource{
 					Secret: &corev1api.SecretVolumeSource{
-						SecretName: "cloud-credentials",
+						// read-only for Owner, Group, Public
+						DefaultMode: ptr.To(int32(0444)),
+						SecretName:  "cloud-credentials",
 					},
 				},
 			},