More Info:

Configure the Cluster Service Account with Storage Object Viewer Role to only allow readonly access to GCR.

Risk Level

Medium

Address

Security, Reliability, Best Practice

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To minimize cluster access to read-only for GCR in GCP, you can follow the below steps:
  1. Open the Google Cloud Console and select the GKE cluster for which you want to minimize the access.
  2. Click on the “Edit” button for the cluster.
  3. Scroll down to the “Security” section and click on “Add item” under the “Container Registry” subsection.
  4. In the “Add members” field, enter the email addresses of the users or service accounts that you want to grant read-only access to.
  5. In the “Role” field, select “Storage Object Viewer” from the dropdown menu.
  6. Click on the “Save” button to save the changes.
  7. Repeat steps 4-6 for each user or service account that you want to grant read-only access to.
  8. Once you have added all the users or service accounts, click on the “Save” button to save the changes to the cluster.
By following these steps, you will be able to minimize the cluster access to read-only for GCR in GCP using the GCP console.

To minimize cluster access to read-only for GCR, you can follow these steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to create a new Kubernetes cluster role:
    kubectl create clusterrole read-only --verb=get,list,watch --resource=pods,endpoints,services,secrets
    
  3. Run the following command to create a new Kubernetes cluster role binding:
    kubectl create clusterrolebinding read-only-binding --clusterrole=read-only --user=<your-email-address>
    
    Replace <your-email-address> with your GCP account email address.
  4. Run the following command to grant the Kubernetes service account read-only access to the Google Container Registry:
    gcloud projects add-iam-policy-binding <your-project-id> --member=serviceAccount:<your-project-id>@cloudbuild.gserviceaccount.com --role=roles/storage.objectViewer
    
    Replace <your-project-id> with your GCP project ID.
  5. Run the following command to verify that the Kubernetes service account has read-only access to the Google Container Registry:
    gcloud auth activate-service-account --key-file=/var/run/secrets/kubernetes.io/serviceaccount/token
    gcloud container images list
    
    This will list all the images in your project’s Google Container Registry. If you can see the list of images, it means that the Kubernetes service account has read-only access to the Google Container Registry.
By following these steps, you have minimized cluster access to read-only for GCR in GCP using GCP CLI.
To minimize cluster access to read-only for GCR in GCP, you can follow these steps:
  1. Open the Cloud Shell in your GCP console.
  2. Install the necessary Python libraries by running the following command:
    pip install google-cloud-storage google-auth
    
  3. Create a Python script and import the necessary libraries:
    from google.cloud import storage
    from google.oauth2 import service_account
    
  4. Set up the credentials for your GCP account:
    credentials = service_account.Credentials.from_service_account_file(
        '/path/to/your/credentials.json')
    
  5. Create a storage client using the credentials:
    client = storage.Client(credentials=credentials)
    
  6. Get the bucket that contains your GCR images:
    bucket = client.get_bucket('gcr.io')
    
  7. Set the bucket’s IAM policy to allow read-only access for the cluster:
    policy = bucket.get_iam_policy(requested_policy_version=3)
    policy.bindings.append(
        {
            "role": "roles/storage.objectViewer",
            "members": {
                "serviceAccount:[email protected]"
            }
        }
    )
    bucket.set_iam_policy(policy)
    
    Note: Replace [email protected] with the service account of your cluster.
  8. Save the Python script and run it using the following command:
    python <script_name>.py
    
This will minimize cluster access to read-only for GCR in GCP.

Additional Reading: