Information
Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to GCR.
Rationale:
The Cluster Service Account does not require administrative access to GCR, only requiring pull access to containers to deploy onto GKE. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console
For an account explicitly granted access to the bucket:
Go to Storage Browser by visiting https://console.cloud.google.com/storage/browser
From the list of storage buckets, select artifacts.[PROJECT_ID].appspot.com for the GCR bucket
Under the Permissions tab, modify permissions of the identified GKE Service Account via the drop-down role menu and change to the Role to Storage Object Viewer for read-only access.
For an account that inherits access to the bucket through Project level permissions:
Go to IAM console by visiting https://console.cloud.google.com/iam-admin
From the list of accounts, identify the required service account and select the corresponding pencil icon
Remove the Storage Admin / Storage Object Admin / Storage Object Creator roles.
Add the Storage Object Viewer role- note with caution that this permits the account to view all objects stored in GCS for the project.
Click SAVE
Using Command Line
For an account explicitly granted to the bucket. Firstly add read access to the Kubernetes Service Account
gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer gs://artifacts.[PROJECT_ID].appspot.com
where:
[TYPE] can be one of the following:
user, if the [EMAIL-ADDRESS] is a Google account
serviceAccount, if [EMAIL-ADDRESS] specifies a Service account
[EMAIL-ADDRESS] can be one of the following:
a Google account (for example, [email protected])
a Cloud IAM service account
Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:
gsutil iam ch -d [TYPE]:[EMAIL-ADDRESS]:[ROLE] gs://artifacts.[PROJECT_ID].appspot.com
For an account that inherits access to the GCR Bucket through Project level permissions, modify the Projects IAM policy file accordingly, then upload it using:
gcloud projects set-iam-policy [PROJECT_ID] [POLICY_FILE]
Impact:
A separate dedicated service account may be required for use by build servers and other robot users pushing or managing container images.
Any account granted the Storage Object Viewer role at the project level can view all objects stored in GCS for the project.
Default Value:
The default permissions for the cluster Service account is dependent on the initial configuration and IAM policy.