Skip to content

Kubernetes engine cluster nodes have default service account for project access

Description

Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default Service account. Unnecessary permissions could be abused in the case of a node compromise.
A GCP service account (as distinct from a Kubernetes ServiceAccount) is an identity that an instance or an application can use to run GCP API requests on your behalf. This identity is used to identify virtual machine instances to other Google Cloud Platform services. By default, Kubernetes Engine nodes use the Compute Engine default service account. This account has broad access by default, as defined by access scopes, making it useful to a wide variety of applications on the VM, but it has more permissions than are required to run your Kubernetes Engine cluster.
You should create and use a minimally privileged service account to run your Kubernetes Engine cluster instead of using the Compute Engine default service account, and create separate service accounts for each Kubernetes Workload (See Recommendation 6.2.2).
Kubernetes Engine requires, at a minimum, the node service account to have the monitoring.viewer, monitoring.metricWriter, and logging.logWriter roles. Additional roles may need to be added for the nodes to pull images from GCR.

Fix - Buildtime

Terraform

  • Resource: google_container_node_pool / google_container_cluster
  • Argument: google_project_default_service_accounts
resource "google_project_default_service_accounts" "not_ok" {
  project = "my-project-id"
  action = "DELETE"
  id="1234"
}

resource "google_container_node_pool" "primary_A_not_ok" {
  name       = "my-node-pool"
  ...

  -   service_account = google_project_default_service_accounts.not_ok.id
    oauth_scopes    = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
  }
}

resource "google_container_cluster" "primary_B_not_ok" {

  ...
  node_config {
-   service_account = google_project_default_service_accounts.not_ok.id
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
  }
}