Triage and Remediation
Remediation
Using Console
Using Console
To minimize cluster access to read-only for GCR in GCP, you can follow the below steps:
- Open the Google Cloud Console and select the GKE cluster for which you want to minimize the access.
- Click on the “Edit” button for the cluster.
- Scroll down to the “Security” section and click on “Add item” under the “Container Registry” subsection.
- In the “Add members” field, enter the email addresses of the users or service accounts that you want to grant read-only access to.
- In the “Role” field, select “Storage Object Viewer” from the dropdown menu.
- Click on the “Save” button to save the changes.
- Repeat steps 4-6 for each user or service account that you want to grant read-only access to.
- Once you have added all the users or service accounts, click on the “Save” button to save the changes to the cluster.
Using CLI
Using CLI
To minimize cluster access to read-only for GCR, you can follow these steps:
- Open the Cloud Shell in your GCP console.
-
Run the following command to create a new Kubernetes cluster role:
-
Run the following command to create a new Kubernetes cluster role binding:
Replace
<your-email-address>with your GCP account email address. -
Run the following command to grant the Kubernetes service account read-only access to the Google Container Registry:
Replace
<your-project-id>with your GCP project ID. -
Run the following command to verify that the Kubernetes service account has read-only access to the Google Container Registry:
This will list all the images in your project’s Google Container Registry. If you can see the list of images, it means that the Kubernetes service account has read-only access to the Google Container Registry.
Using Python
Using Python
To minimize cluster access to read-only for GCR in GCP, you can follow these steps:
- Open the Cloud Shell in your GCP console.
-
Install the necessary Python libraries by running the following command:
-
Create a Python script and import the necessary libraries:
-
Set up the credentials for your GCP account:
-
Create a storage client using the credentials:
-
Get the bucket that contains your GCR images:
-
Set the bucket’s IAM policy to allow read-only access for the cluster:
Note: Replace
[email protected]with the service account of your cluster. -
Save the Python script and run it using the following command: