Information
Note: GCR is now deprecated, see the references for more details.
Configure the Cluster Service Account with Artifact Registry Viewer Role to only allow read-only access to AR repositories.Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to GCR.
The Cluster Service Account does not require administrative access to GCR or AR, only requiring pull access to containers to deploy onto GKE. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
For Images Hosted in AR:
Using Google Cloud Console:
- Go to Artifacts Browser by visiting
https://console.cloud.google.com/artifacts
- From the list of repositories, for each repository with Format Docker
- Under the Permissions tab, modify the permissions for GKE Service account and ensure that only the Artifact Registry Viewer role is set.
Using Command Line:Add artifactregistry.reader role
gcloud artifacts repositories add-iam-policy-binding <repository> \
--location=<repository-location> \
--member='serviceAccount:<email-address>' \
--role='roles/artifactregistry.reader'
Remove any roles other than artifactregistry.reader
gcloud artifacts repositories remove-iam-policy-binding <repository> \
--location <repository-location> \
--member='serviceAccount:<email-address>' \
--role='<role-name>'
For Images Hosted in GCR:
Using Google Cloud Console:
For an account explicitly granted access to the bucket:
- Go to Storage Browser by visiting:
https://console.cloud.google.com/storage/browser
.
- From the list of storage buckets, select artifacts.<project_id>.appspot.com for the GCR bucket.
- Under the Permissions tab, modify permissions of the identified GKE Service Account via the drop-down role menu and change to the Role to Storage Object Viewer for read-only access.
For an account that inherits access to the bucket through Project level permissions:
- Go to IAM console by visiting:
https://console.cloud.google.com/iam-admin
.
- From the list of accounts, identify the required service account and select the corresponding pencil icon.
- Remove the Storage Admin / Storage Object Admin / Storage Object Creator roles.
- Add the Storage Object Viewer role - note with caution that this permits the account to view all objects stored in GCS for the project.
- Click SAVE
Using Command Line:
For an account explicitly granted to the bucket:Firstly add read access to the Kubernetes Service Account:
gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com
where:
- <type> can be one of the following:
- user if the <email_address> is a Google account.
- serviceAccount if <email_address> specifies a Service account.
- <email_address> can be one of the following:
- a Google account (for example, [email protected] ).
- a Cloud IAM service account.
Then remove the excessively privileged role ( Storage Admin / Storage Object Admin / Storage Object Creator ) using:
gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com
For an account that inherits access to the GCR Bucket through Project level permissions, modify the Projects IAM policy file accordingly, then upload it using:
gcloud projects set-iam-policy <project_id> <policy_file>
Impact:
A separate dedicated service account may be required for use by build servers and other robot users pushing or managing container images.
Any account granted the Storage Object Viewer role at the project level can view all objects stored in GCS for the project.