Minimize Cluster Access To Read-Only For GCR

More Info:

Configure the Cluster Service Account with Storage Object Viewer Role to only allow readonly access to GCR.

Risk Level

Medium

Address

Security, Reliability, Best Practice

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To minimize cluster access to read-only for GCR, you can follow these steps:

Open the Cloud Shell in your GCP console.

Run the following command to create a new Kubernetes cluster role:

kubectl create clusterrole read-only --verb=get,list,watch --resource=pods,endpoints,services,secrets

Run the following command to create a new Kubernetes cluster role binding:
```
kubectl create clusterrolebinding read-only-binding --clusterrole=read-only --user=<your-email-address>
```
Replace <your-email-address> with your GCP account email address.
Run the following command to grant the Kubernetes service account read-only access to the Google Container Registry:
```
gcloud projects add-iam-policy-binding <your-project-id> --member=serviceAccount:<your-project-id>@cloudbuild.gserviceaccount.com --role=roles/storage.objectViewer
```
Replace <your-project-id> with your GCP project ID.
Run the following command to verify that the Kubernetes service account has read-only access to the Google Container Registry:
```
gcloud auth activate-service-account --key-file=/var/run/secrets/kubernetes.io/serviceaccount/token
gcloud container images list
```
This will list all the images in your project’s Google Container Registry. If you can see the list of images, it means that the Kubernetes service account has read-only access to the Google Container Registry.

By following these steps, you have minimized cluster access to read-only for GCR in GCP using GCP CLI.

Using Python

To minimize cluster access to read-only for GCR in GCP, you can follow these steps:

Open the Cloud Shell in your GCP console.
Install the necessary Python libraries by running the following command:
```
pip install google-cloud-storage google-auth
```

Create a Python script and import the necessary libraries:

from google.cloud import storage
from google.oauth2 import service_account

Set up the credentials for your GCP account:

credentials = service_account.Credentials.from_service_account_file(
    '/path/to/your/credentials.json')

Create a storage client using the credentials:
```
client = storage.Client(credentials=credentials)
```
Get the bucket that contains your GCR images:
```
bucket = client.get_bucket('gcr.io')
```

Set the bucket’s IAM policy to allow read-only access for the cluster:

policy = bucket.get_iam_policy(requested_policy_version=3)
policy.bindings.append(
    {
        "role": "roles/storage.objectViewer",
        "members": {
            "serviceAccount:[email protected]"
        }
    }
)
bucket.set_iam_policy(policy)

Note: Replace [email protected] with the service account of your cluster.

Save the Python script and run it using the following command:
```
python <script_name>.py
```

This will minimize cluster access to read-only for GCR in GCP.

Additional Reading:

https://cloud.google.com/container-registry/docs/access-control

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Minimize Cluster Access To Read-Only For GCR

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: