Document permissions required for the benchmark

GoogleCloudPlatform / inspec-gke-cis-benchmark

GKE CIS 1.1.0 Benchmark InSpec Profile

Apache License 2.0

27 stars 22 forks source link

Document permissions required for the benchmark #6

Closed dinvlad closed 4 years ago

dinvlad commented 4 years ago

These are the permissions we've found as necessary to run the GKE benchmark, by looking through Cloud Audit logs and also spot-checking the code for the controls.

Technically, storage.buckets.get and storage.buckets.getIamPolicy are only needed for GCR buckets, but it's probably easier to start with these being granted at the project level.

KonradSchieban commented 4 years ago

@dinvlad is the list of permissions necessary and sufficient? /gcbrun

dinvlad commented 4 years ago

From my tests, and looking at the code, yes.

KonradSchieban commented 4 years ago

Thank you for your contribution @dinvlad !