These are the permissions we've found as necessary to run the GKE benchmark, by looking through Cloud Audit logs and also spot-checking the code for the controls.
Technically, storage.buckets.get and storage.buckets.getIamPolicy are only needed for GCR buckets, but it's probably easier to start with these being granted at the project level.
These are the permissions we've found as necessary to run the GKE benchmark, by looking through Cloud Audit logs and also spot-checking the code for the controls.
Technically,
storage.buckets.get
andstorage.buckets.getIamPolicy
are only needed for GCR buckets, but it's probably easier to start with these being granted at the project level.