diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go
index 8432d32994..b315e26a1d 100644
--- a/pkg/cmd/render/render.go
+++ b/pkg/cmd/render/render.go
@@ -306,13 +306,13 @@ func (r *renderOpts) Run() error {
 	certDir := filepath.Join(memberDir, "etcd-all-certs")
 
 	// Creating the cert dir recursively will create the base path too
-	err = os.MkdirAll(certDir, 0755)
+	err = os.MkdirAll(certDir, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory %s: %w", memberDir, err)
 	}
 	// tlsDir contains the ca bundle and client cert pair for bootkube.sh and the bootstrap apiserver
 	tlsDir := filepath.Join(r.assetOutputDir, "tls")
-	err = os.MkdirAll(tlsDir, 0755)
+	err = os.MkdirAll(tlsDir, 0700)
 
 	// Write the etcd ca bundle required by the bootstrap etcd member
 	for _, bundle := range templateData.caBundles {
diff --git a/pkg/operator/etcd_assets/bindata.go b/pkg/operator/etcd_assets/bindata.go
index 07ba7fe9a9..eac15ac165 100644
--- a/pkg/operator/etcd_assets/bindata.go
+++ b/pkg/operator/etcd_assets/bindata.go
@@ -2626,7 +2626,7 @@ func RestoreAsset(dir, name string) error {
 	if err != nil {
 		return err
 	}
-	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
+	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0700))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/tnf/assets/bindata.go b/pkg/tnf/assets/bindata.go
index 11355d44ea..b8f4af9a2d 100644
--- a/pkg/tnf/assets/bindata.go
+++ b/pkg/tnf/assets/bindata.go
@@ -585,7 +585,7 @@ func RestoreAsset(dir, name string) error {
 	if err != nil {
 		return err
 	}
-	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
+	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0700))
 	if err != nil {
 		return err
 	}