Detections
Analytics

5.1.3 Minimize cluster access to read-only for Container Image repositories

Information

Note: GCR is now deprecated, see the references for more details.

Configure the Cluster Service Account with Artifact Registry Viewer Role to only allow read-only access to AR repositories. Configure the Cluster Service Account with Storage Object Viewer Role to only allow read-only access to GCR.

Rationale:

The Cluster Service Account does not require administrative access to GCR or AR, only requiring pull access to containers to deploy onto GKE. Restricting permissions follows the principles of least privilege and prevents credentials from being abused beyond the required role.

Impact:

A separate dedicated service account may be required for use by build servers and other robot users pushing or managing container images.

Any account granted the Storage Object Viewer role at the project level can view all objects stored in GCS for the project.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For Images Hosted in AR:

Using Google Cloud Console:

Go to Artifacts Browser by visiting https://console.cloud.google.com/artifacts

From the list of repositories, for each repository with Format Docker

Under the Permissions tab, modify the permissions for GKE Service account and ensure that only the Artifact Registry Viewer role is set.

Using Command Line:
Add artifactregistry.reader role

gcloud artifacts repositories add-iam-policy-binding <repository> \
--location=<repository-location> \
--member='serviceAccount:<email-address>' \
--role='roles/artifactregistry.reader'

Remove any roles other than artifactregistry.reader

gcloud artifacts repositories remove-iam-policy-binding <repository> \
--location <repository-location> \
--member='serviceAccount:<email-address>' \
--role='<role-name>'

For Images Hosted in GCR:

Using Google Cloud Console:
For an account explicitly granted access to the bucket:

Go to Storage Browser by visiting: https://console.cloud.google.com/storage/browser.

From the list of storage buckets, select artifacts.<project_id>.appspot.com for the GCR bucket.

Under the Permissions tab, modify permissions of the identified GKE Service Account via the drop-down role menu and change to the Role to Storage Object Viewer for read-only access.

For an account that inherits access to the bucket through Project level permissions:

Go to IAM console by visiting: https://console.cloud.google.com/iam-admin.

From the list of accounts, identify the required service account and select the corresponding pencil icon.

Remove the Storage Admin / Storage Object Admin / Storage Object Creator roles.

Add the Storage Object Viewer role - note with caution that this permits the account to view all objects stored in GCS for the project.

Click SAVE.

Using Command Line:
For an account explicitly granted to the bucket:
Firstly add read access to the Kubernetes Service Account:

gsutil iam ch <type>:<email_address>:objectViewer gs://artifacts.<project_id>.appspot.com

where:

<type> can be one of the following:

user, if the <email_address> is a Google account.

serviceAccount, if <email_address> specifies a Service account.

<email_address> can be one of the following:

a Google account (for example, [email protected]).

a Cloud IAM service account.

Then remove the excessively privileged role (Storage Admin / Storage Object Admin / Storage Object Creator) using:

gsutil iam ch -d <type>:<email_address>:<role> gs://artifacts.<project_id>.appspot.com

For an account that inherits access to the GCR Bucket through Project level permissions, modify the Projects IAM policy file accordingly, then upload it using:

gcloud projects set-iam-policy <project_id> <policy_file>

Default Value:

The default permissions for the cluster Service account is dependent on the initial configuration and IAM policy.

See Also

https://workbench.cisecurity.org/benchmarks/13178

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|3.2

Plugin: GCP

Control ID: 247d956c81a2741ed7685fbd89f05210100d2c96902f68e3078e1c727b5b4ae7