diff --git a/roles/k3s/master/tasks/main.yml b/roles/k3s/master/tasks/main.yml
index 389e928..006aa9b 100644
--- a/roles/k3s/master/tasks/main.yml
+++ b/roles/k3s/master/tasks/main.yml
@@ -49,6 +49,7 @@
     path: ~{{ ansible_user }}/.kube
     state: directory
     owner: "{{ ansible_user }}"
+    mode: "u=rwx,g=rx,o="
 
 - name: Copy config file to user home directory
   copy:
@@ -56,6 +57,7 @@
     dest: ~{{ ansible_user }}/.kube/config
     remote_src: yes
     owner: "{{ ansible_user }}"
+    mode: "u=rw,g=,o="
 
 - name: Replace https://localhost:6443 by https://master-ip:6443
   command: >-
diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml
index c79d503..97617cf 100644
--- a/roles/prereq/tasks/main.yml
+++ b/roles/prereq/tasks/main.yml
@@ -22,6 +22,7 @@
   copy:
     content: "br_netfilter"
     dest: /etc/modules-load.d/br_netfilter.conf
+    mode: "u=rw,g=,o="
   when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux']
 
 - name: Load br_netfilter