search

kubernetes-sigs / gcp-compute-persistent-disk-csi-driver

The Google Compute Engine Persistent Disk (GCE PD) Container Storage Interface (CSI) Storage Plugin.
Apache License 2.0
163 stars 143 forks source link

Remove iam.serviceAccountUser role requirement #1700

Open bertinatto opened 5 months ago

bertinatto commented 5 months ago

Currently, GCP PD CSI driver requires a Service Account that has the iam.serviceAccountUser role:

https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/blob/eead51bd9029e92e6b6789813ff345f12a04c1a7/docs/kubernetes/user-guides/driver-install.md?plain=1#L21

However, that goes agains Google's Security Health Analytics recommendation:

https://cloud.google.com/security-command-center/docs/how-to-remediate-security-health-analytics-findings#over_privileged_service_account_user

Is it possible to remove this role from the driver's requirements? What would it take to do that?

I looked around this repository but couldn't find the reason this role is required, only this comment that references it: https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/pull/134#issuecomment-431612007

bertinatto commented 5 months ago

CC @msau42 @mattcary

mattcary commented 5 months ago

I'm not sure. It may not be necessary. If we run through the e2e without it, it's probably ok --- one would have to set up an external (non-gke) deployment and a service account without the role and see if it works.

On Mon, May 6, 2024 at 12:33 PM Fabio Bertinatto @.***> wrote:

CC @msau42 https://github.com/msau42 @mattcary https://github.com/mattcary

— Reply to this email directly, view it on GitHub https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700#issuecomment-2096762647, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJCBADCEB6VOLZPPSGLQJDZA7LKLAVCNFSM6AAAAABHJSYEBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWG43DENRUG4 . You are receiving this because you were mentioned.Message ID: <kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700/ 2096762647 @.***>

bertinatto commented 4 months ago

I'm not sure. It may not be necessary. If we run through the e2e without it, it's probably ok --- one would have to set up an external (non-gke) deployment and a service account without the role and see if it works. On Mon, May 6, 2024 at 12:33 PM Fabio Bertinatto @.> wrote: CC @msau42 https://github.com/msau42 @mattcary https://github.com/mattcary — Reply to this email directly, view it on GitHub <#1700 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIJCBADCEB6VOLZPPSGLQJDZA7LKLAVCNFSM6AAAAABHJSYEBGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWG43DENRUG4 . You are receiving this because you were mentioned.Message ID: <kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1700/ 2096762647 @.>

Thanks, @mattcary.

I tried that in our CI, but without the iam.serviceAccountUser role the driver was unable to attach volumes:

E0507 13:03:06.933158       1 utils.go:402] Failed to Attach: failed when waiting for zonal op: rpc error: code = Internal desc = operation operation-1715086983149-617dcce63b8a7-4c592a11-e0d4bf73 failed (SERVICE_ACCOUNT_ACCESS_DENIED): The user does not have access to service account 'ci-op-2vymnqnc-b8c57-bhqzt-w@openshift-gce-devel-ci.iam.gserviceaccount.com'.  User: 'ci-op-2vymnq-openshift-g-b9qcf@openshift-gce-devel-ci.iam.gserviceaccount.com'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account
I0507 13:03:06.934176       1 controller.go:540] For node projects/openshift-gce-devel-ci/zones/us-central1-c/instances/ci-op-2vymnqnc-b8c57-bhqzt-worker-c-ksqj9 adding backoff due to error for volume projects/openshift-gce-devel-ci/zones/us-central1-c/disks/pvc-d4e1847b-6eeb-4771-aa73-d6d1c2961c56: rpc error: code = Internal desc = Failed to Attach: failed when waiting for zonal op: rpc error: code = Internal desc = operation operation-1715086983149-617dcce63b8a7-4c592a11-e0d4bf73 failed (SERVICE_ACCOUNT_ACCESS_DENIED): The user does not have access to service account 'ci-op-2vymnqnc-b8c57-bhqzt-w@openshift-gce-devel-ci.iam.gserviceaccount.com'.  User: 'ci-op-2vymnq-openshift-g-b9qcf@openshift-gce-devel-ci.iam.gserviceaccount.com'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account

Is there a more granular permission we could use instead? Is there a safe way for the driver to comply with Google's Security Health Analytics recommendation?

mattcary commented 4 months ago

I guess the service account get associated with the disk or instance when an attach happens.

Digging more deeply into the docs link, it appears the analytics error isn't due to the role in general, but for it being scoped too high.

Maybe instead of adding it as a project scoped role, it needs to be added to the service account (gcloud iam service-accounts add-iam-policy-binding "${IAM_NAME}" --member serviceAccount:"${IAM_NAME}" --role roles/iam.serviceAccountuser).

Can you try that out and see if it works?

bertinatto commented 4 months ago

gcloud iam service-accounts add-iam-policy-binding "${IAM_NAME}" --member serviceAccount:"${IAM_NAME}" --role roles/iam.serviceAccountuser

Unfortunately, I got this:

ERROR: (gcloud.iam.service-accounts.add-iam-policy-binding) PERMISSION_DENIED: Permission 'iam.serviceAccounts.setIamPolicy' denied on resource (or it may not exist).
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: iam.googleapis.com
  metadata:
    permission: iam.serviceAccounts.setIamPolicy
  reason: IAM_PERMISSION_DENIED
mattcary commented 4 months ago

Hmm, I don't know if that's a problem with your project permissions or because you can't put that role on a service account. If you try to do it through the UI (console.cloud.google.com) what happens?

bertinatto commented 3 months ago

Hmm, I don't know if that's a problem with your project permissions or because you can't put that role on a service account. If you try to do it through the UI (console.cloud.google.com) what happens?

I'm not sure if this is the right place, but I went to:

IAM & Admin > Service Accounts > View By Roles > Grant Access

And I see this message in a tooltip:

Required permission(s):
my-sa
iam.serviceAccounts.setIamPolicy
mattcary commented 2 months ago

Ah, this must be an issue with project setup. Can you talk with whoever is the admin for your org or project to see if your project can be given roles/iam.serviceAccountAdmin?

bertinatto commented 2 months ago

@mattcary I just checked and I'm a member of the roles/iam.serviceAccountAdmin role in my project. Could you please try with your account to see if you encounter the same issue? I'm not familiar with GCP IAM roles, but I don't think I'm not lacking any permissions.