Skip to main content

lacework-global-760

Minimize cluster access to read-only for Google Container Registry (GCR) (Manual)

Description

Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to GCR.

Remediation

Note: GCR is now deprecated, see the references for more details.

Using Google Cloud Console:

For an account explicitly granted access to the bucket:

  1. Go to Storage Browser by visiting: https://console.cloud.google.com/storage/browser.
  2. From the list of storage buckets, select artifacts.<project_id>.appspot.com for the GCR bucket.
  3. Under the Permissions tab, modify permissions of the identified Google Kubernetes Engine (GKE) Service Account via the drop-down role menu and change to the Role to Storage Object Viewer for read-only access.

For an account that inherits access to the bucket through Project level permissions:

  1. Go to Identity and Access Management (IAM) console by visiting: https://console.cloud.google.com/iam-admin.
  2. From the list of accounts, identify the required service account and select the corresponding pencil icon.
  3. Remove the Storage Admin / Storage Object Admin / Storage Object Creator roles.
  4. Add the Storage Object Viewer role - note with caution that this permits the account to view all objects stored in Google Cloud Storage (GCS) for the project.
  5. Click Save.

Using Command Line:

For an account explicitly granted to the bucket:

Firstly add read access to the Kubernetes Service Account:

gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com

where:

  • <type> can be one of the following:
    • user, if the <email_address> is a Google Account.
    • serviceAccount, if <email_address> specifies a Service account.
    • <email_address> can be one of the following:
      • a Google Account (for example, someone@example.com).
      • a Cloud IAM service account.

Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:

gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com

For an account that inherits access to the GCR Bucket through Project level permissions, modify the Projects IAM policy file accordingly, then upload it using:

gcloud projects set-iam-policy <project_id> <policy_file>

References

https://cloud.google.com/container-registry/docs/
https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
https://cloud.google.com/kubernetes-engine/docs/how-to/iam

Last updated on