GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Minimize Cluster Access To Read-Only For GCR
More Info:
Configure the Cluster Service Account with Storage Object Viewer Role to only allow readonly access to GCR.
Risk Level
Medium
Address
Security, Reliability, Best Practice
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To minimize cluster access to read-only for GCR in GCP, you can follow the below steps:
-
Open the Google Cloud Console and select the GKE cluster for which you want to minimize the access.
-
Click on the “Edit” button for the cluster.
-
Scroll down to the “Security” section and click on “Add item” under the “Container Registry” subsection.
-
In the “Add members” field, enter the email addresses of the users or service accounts that you want to grant read-only access to.
-
In the “Role” field, select “Storage Object Viewer” from the dropdown menu.
-
Click on the “Save” button to save the changes.
-
Repeat steps 4-6 for each user or service account that you want to grant read-only access to.
-
Once you have added all the users or service accounts, click on the “Save” button to save the changes to the cluster.
By following these steps, you will be able to minimize the cluster access to read-only for GCR in GCP using the GCP console.
To minimize cluster access to read-only for GCR, you can follow these steps:
-
Open the Cloud Shell in your GCP console.
-
Run the following command to create a new Kubernetes cluster role:
kubectl create clusterrole read-only --verb=get,list,watch --resource=pods,endpoints,services,secrets -
Run the following command to create a new Kubernetes cluster role binding:
kubectl create clusterrolebinding read-only-binding --clusterrole=read-only --user=<your-email-address>Replace
<your-email-address>with your GCP account email address. -
Run the following command to grant the Kubernetes service account read-only access to the Google Container Registry:
gcloud projects add-iam-policy-binding <your-project-id> --member=serviceAccount:<your-project-id>@cloudbuild.gserviceaccount.com --role=roles/storage.objectViewerReplace
<your-project-id>with your GCP project ID. -
Run the following command to verify that the Kubernetes service account has read-only access to the Google Container Registry:
gcloud auth activate-service-account --key-file=/var/run/secrets/kubernetes.io/serviceaccount/token gcloud container images listThis will list all the images in your project’s Google Container Registry. If you can see the list of images, it means that the Kubernetes service account has read-only access to the Google Container Registry.
By following these steps, you have minimized cluster access to read-only for GCR in GCP using GCP CLI.
To minimize cluster access to read-only for GCR in GCP, you can follow these steps:
-
Open the Cloud Shell in your GCP console.
-
Install the necessary Python libraries by running the following command:
pip install google-cloud-storage google-auth -
Create a Python script and import the necessary libraries:
from google.cloud import storage from google.oauth2 import service_account -
Set up the credentials for your GCP account:
credentials = service_account.Credentials.from_service_account_file( '/path/to/your/credentials.json') -
Create a storage client using the credentials:
client = storage.Client(credentials=credentials) -
Get the bucket that contains your GCR images:
bucket = client.get_bucket('gcr.io') -
Set the bucket’s IAM policy to allow read-only access for the cluster:
policy = bucket.get_iam_policy(requested_policy_version=3) policy.bindings.append( { "role": "roles/storage.objectViewer", "members": { "serviceAccount:[email protected]" } } ) bucket.set_iam_policy(policy)Note: Replace
[email protected]with the service account of your cluster. -
Save the Python script and run it using the following command:
python <script_name>.py
This will minimize cluster access to read-only for GCR in GCP.