diff --git a/0007-fix-kbimg-set-default-umask-to-022.patch b/0007-fix-kbimg-set-default-umask-to-022.patch
new file mode 100644
index 0000000000000000000000000000000000000000..783732eaca7b2a534b638c9e491b7a6a34817299
--- /dev/null
+++ b/0007-fix-kbimg-set-default-umask-to-022.patch
@@ -0,0 +1,38 @@
+From b5f64717b4ff3685c3cb8978d9a91f03780a1094 Mon Sep 17 00:00:00 2001
+From: Yuhang Wei <weiyuhang3@huawei.com>
+Date: Sat, 8 Mar 2025 12:06:33 +0000
+Subject: [PATCH] fix(kbimg): set default umask to 022
+
+Signed-off-by: Yuhang Wei <weiyuhang3@huawei.com>
+---
+ KubeOS-Rust/kbimg/src/scripts_gen.rs | 1 +
+ KubeOS-Rust/kbimg/src/values.rs      | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/KubeOS-Rust/kbimg/src/scripts_gen.rs b/KubeOS-Rust/kbimg/src/scripts_gen.rs
+index 9993af1c..b9c53c08 100644
+--- a/KubeOS-Rust/kbimg/src/scripts_gen.rs
++++ b/KubeOS-Rust/kbimg/src/scripts_gen.rs
+@@ -486,6 +486,7 @@ pub(crate) fn gen_admin_vars(file: &mut dyn Write, docker_img: &str, hostshell:
+         file,
+         r#"set -eux
+ 
++umask 022
+ SCRIPTS_DIR=$(dirname "$0")
+ LOCK="${{SCRIPTS_DIR}}"/test.lock
+ ADMIN_CONTAINER_DIR="${{SCRIPTS_DIR}}"/admin-container
+diff --git a/KubeOS-Rust/kbimg/src/values.rs b/KubeOS-Rust/kbimg/src/values.rs
+index 7cf322e1..928a22eb 100644
+--- a/KubeOS-Rust/kbimg/src/values.rs
++++ b/KubeOS-Rust/kbimg/src/values.rs
+@@ -70,6 +70,7 @@ pub const COPYRIGHT: &str = r#"# Copyright (c) Huawei Technologies Co., Ltd. 202
+ 
+ pub const GLOBAL_VARS: &str = r#"set -eux
+ 
++umask 022
+ NAME=KubeOS
+ ID=kubeos
+ SCRIPTS_DIR=$(cd "$(dirname "$0")" && pwd)
+-- 
+2.47.0
+
diff --git a/KubeOS.spec b/KubeOS.spec
index 861f7b7592d4a559693a279799ee026762bd8a4d..215604a23bbaf629eb8f081e1d2821e29714b95b 100644
--- a/KubeOS.spec
+++ b/KubeOS.spec
@@ -2,7 +2,7 @@
 
 Name:           KubeOS
 Version:        1.0.8
-Release:        4
+Release:        5
 Summary:        O&M platform used to update the whole OS as an entirety
 License:        Mulan PSL v2
 Source0:        https://gitee.com/openeuler/KubeOS/repository/archive/v%{version}.tar.gz
@@ -12,6 +12,7 @@ Patch3:         0003-fix-admin-container-correct-path-for-copying-files-i.patch
 Patch4:         0004-fix-kbimg-add-info-log-for-successful-image-creation.patch
 Patch5:         0005-fix-kbimg-enforce-non-empty-strings-for-required-fie.patch
 Patch6:         0006-fix-kbimg-add-validation-for-non-empty-strings-in-Ve.patch
+Patch7:         0007-fix-kbimg-set-default-umask-to-022.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  make rust cargo openssl-devel
@@ -76,6 +77,12 @@ install -p -m 0600 ./KubeOS-Rust/kbimg/kbimg.toml %{buildroot}/opt/kubeOS/script
 rm -rfv %{buildroot}
 
 %changelog
+* Tue Mar 11 2025 Yuhang Wei<weiyuhang3@huawei.com> - 1.0.8-5
+- Type:requirement
+- CVE:NA
+- SUG:restart
+- DESC:set default umask to 022 for KubeOS image creation
+
 * Mon Dec 16 2024 Yuhang Wei<weiyuhang3@huawei.com> - 1.0.8-4
 - Type:requirement
 - CVE:NA