lacework-global-760
Minimize cluster access to read-only for Google Container Registry (GCR) (Manual)
Description
Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to GCR.
Remediation
Note: GCR is now deprecated, see the references for more details.
Using Google Cloud Console:
For an account explicitly granted access to the bucket:
- Go to Storage Browser by visiting: https://console.cloud.google.com/storage/browser.
- From the list of storage buckets, select
artifacts.<project_id>.appspot.com
for the GCR bucket. - Under the Permissions tab, modify permissions of the identified Google Kubernetes Engine (GKE) Service Account via the drop-down role menu and change to the Role to
Storage Object Viewer
for read-only access.
For an account that inherits access to the bucket through Project level permissions:
- Go to Identity and Access Management (IAM) console by visiting: https://console.cloud.google.com/iam-admin.
- From the list of accounts, identify the required service account and select the corresponding pencil icon.
- Remove the
Storage Admin
/Storage Object Admin
/Storage Object Creator
roles. - Add the
Storage Object Viewer
role - note with caution that this permits the account to view all objects stored in Google Cloud Storage (GCS) for the project. - Click
Save
.
Using Command Line:
For an account explicitly granted to the bucket:
Firstly add read access to the Kubernetes Service Account:
gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com
where:
<type>
can be one of the following:user
, if the<email_address>
is a Google Account.serviceAccount
, if<email_address>
specifies a Service account.<email_address>
can be one of the following:- a
Google Account
(for example,someone@example.com
). - a
Cloud IAM service account
.
- a
Then remove the excessively privileged role (Storage Admin
/ Storage Object Admin
/ Storage Object Creator
) using:
gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com
For an account that inherits access to the GCR Bucket through Project level permissions, modify the Projects IAM policy file accordingly, then upload it using:
gcloud projects set-iam-policy <project_id> <policy_file>
References
https://cloud.google.com/container-registry/docs/
https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
https://cloud.google.com/kubernetes-engine/docs/how-to/iam