From 739bd2f56a4dcc71e676a4237f1ba7a1683b3a08 Mon Sep 17 00:00:00 2001
From: Kenichi Omichi <ken-oomichi@wx.jp.nec.com>
Date: Mon, 11 Oct 2021 16:57:40 +0000
Subject: [PATCH] Fix ownership related to Calico

kube-bench scan outputs warning related to Calico like:

* text: "Ensure that the Container Network Interface file
  permissions are set to 644 or more restrictive (Manual)"
* text: "Ensure that the Container Network Interface file
  ownership is set to root:root (Manual)"

This fixes these warnings.
---
 roles/container-engine/gvisor/molecule/default/prepare.yml | 2 +-
 roles/network_plugin/calico/tasks/install.yml              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/container-engine/gvisor/molecule/default/prepare.yml b/roles/container-engine/gvisor/molecule/default/prepare.yml
index e5a7e773c5b..8f9ef7ddfbc 100644
--- a/roles/container-engine/gvisor/molecule/default/prepare.yml
+++ b/roles/container-engine/gvisor/molecule/default/prepare.yml
@@ -36,7 +36,7 @@
       file:
         path: /etc/cni/net.d
         state: directory
-        owner: kube
+        owner: root
         mode: 0755
     - name: Setup CNI
       copy:
diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
index 75a9e5eefa4..cac20ea5e2d 100644
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -20,7 +20,7 @@
   template:
     src: "cni-calico.conflist.j2"
     dest: "/etc/cni/net.d/calico.conflist.template"
-    owner: kube
+    owner: root
   register: calico_conflist
   notify: reset_calico_cni