[BUG] yurtadm tries to set the incorrect permission, which leads to unexpected failure

[fujitatomoya]

What happened:

When using OpenYurt with Cilium CNI, cilium-agent (DaemonSets) initialization cannot be completed since it does not have the access permission to /opt/cni/bin.

see more details for cilium/cilium#22933

What you expected to happen:

OpenYurt can enable Cilium w/o any problems.

How to reproduce it (as minimally and precisely as possible):

1. yurtadm join from edge device. (kubelet should not be installed, so that yurtadm creates the /opt/cni/bin with 0600 permission)
2. enable cilium with cilium install.
3. the edge node cannot be READY since cilium-agent will fail to initialize.

Anything else we need to know?:

In general directory permission 0600 does not make sense to me, since the owner cannot change the directory in it.
In addition, OpenYurt should not put the different access permission in default, since this could lead the unexpected problems like this. saying, /opt/cni/bin is not dedicated directory for OpenYurt but anyone could read and execute.

Environment:

• OpenYurt version: v1.1.0
• Kubernetes version (use kubectl version): 1.22.13
• OS (e.g: cat /etc/os-release): Ubuntu 20.04
• Kernel (e.g. uname -a): 5.4.0-126-generic
• Install tools:
• Others:

others

/kind bug

[fujitatomoya]

#1574 addresses this problems.

@rambohe-ch @YTGhost what do you think?

[YTGhost]

#1574 addresses this problems.

@rambohe-ch @YTGhost what do you think?

Yes, I agree with you that the permissions of /opt/cni/bin should be changed to 0755.

[rambohe-ch]

#1574 addresses this problems.

@rambohe-ch @YTGhost what do you think?

@fujitatomoya agree +1