Skip to content

GKE default compute engine service account #2025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aumohr opened this issue Jan 30, 2024 · 0 comments · Fixed by #2036
Closed

GKE default compute engine service account #2025

aumohr opened this issue Jan 30, 2024 · 0 comments · Fixed by #2036
Assignees
@juliocc
Labels
cspr

Comments

@aumohr
Copy link
Collaborator

aumohr commented Jan 30, 2024

Describe the bug
In stage 3-gke-multitenant, the default compute engine service account is used in GKE clusters. This is against GCP security best practices.

Rationale
The Project Editor role is assigned to the Compute Engine default service account, which grants access to all the Google Cloud resources in the project; this includes service accounts in the project which can be used for privilege escalation. If the Compute Engine default service account is assigned to a compute instance, anyone with access to the compute instance (e.g., using SSH/RDP) will have access to the attached service account, thus having access to all resources in the project. This also applies to other products that use VMs as building blocks, including GKE, Dataflow, Datalab, Cloud Composer, etc.

Expected behavior
Create a custom service account for GKE deployment and assign the minimum set of required privileges to it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juliocc juliocc

Labels
cspr
Projects
None yet
Milestone
No milestone
2 participants
@juliocc @aumohr