Open ottlngr opened 7 months ago
GKE will be disabling these RoleBindings as of 1.28. Interested to understand why these RoleBindings are configured like this and what we can do to resolve.
Thanks for raising this @ottlngr. This is a pattern used across all Tekton projects that can be installed on the cluster, not just Pipelines and Dashboard.
It grants "get" permission on a ConfigMap named <project>-info
in the install namespace (tekton-pipelines
by default) containing the version number of the project. This is used by the Tekton CLI and others to retrieve the version info (e.g. for the tkn version
command) without requiring permissions on any of the other resources (e.g. deployments) in the namespace.
This seems like a safe use and is covered under the guidance linked from the bulletin, see https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#detect-prevent-default
mark using the group system:authenticated as a security threat notifying their users by email notifications as well as their Security Command Center.
The rule that has been added (GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING
) is specifically related to binding to the cluster-admin
role which is not used here. From the linked doc:
Display name | API name | Log source types | Description |
---|---|---|---|
Privilege Escalation: Creation of sensitive Kubernetes bindings | GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING | Cloud Audit Logs:IAM Admin Activity audit logs | To escalate privilege, a potentially malicious actor attempted to create a new RoleBinding or ClusterRoleBinding object for the cluster-admin role. |
@sbrawner These RoleBindings will not be disabled in 1.28. From the bulletin:
By default blocked new bindings of the highly privileged ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated in GKE version 1.28.
The cluster-admin
ClusterRole is not referenced in these bindings, only the specific role granting "get" access on the relevant ConfigMap.
You're correct, apologies for the confusion.
The latest GKE Security Bulletin recommends to not use the group
system:authenticated
forRoleBindings
.Both
tekton-pipelines
andtekton-dashboard
use this kind ofRoleBinding
in their latest release.yaml, claiming thatGKE will mark using the group
system:authenticated
as a security threat notifying their users by email notifications as well as their Security Command Center.