search

tektoncd / pipeline

A cloud-native Pipeline resource.
https://tekton.dev
Apache License 2.0
8.43k stars 1.77k forks source link

GKE Security Bulletin: RoleBindings using system:authenticated not recommended #7608

Open ottlngr opened 7 months ago

ottlngr commented 7 months ago

The latest GKE Security Bulletin recommends to not use the group system:authenticated for RoleBindings.

Both tekton-pipelines and tekton-dashboard use this kind of RoleBinding in their latest release.yaml, claiming that

All system:authenticated users needs to have access of the pipelines-info ConfigMap even if they don't have access to the other resources present in the installed namespace.

GKE will mark using the group system:authenticated as a security threat notifying their users by email notifications as well as their Security Command Center.

sbrawner commented 7 months ago

GKE will be disabling these RoleBindings as of 1.28. Interested to understand why these RoleBindings are configured like this and what we can do to resolve.

AlanGreene commented 7 months ago

Thanks for raising this @ottlngr. This is a pattern used across all Tekton projects that can be installed on the cluster, not just Pipelines and Dashboard.

It grants "get" permission on a ConfigMap named <project>-info in the install namespace (tekton-pipelines by default) containing the version number of the project. This is used by the Tekton CLI and others to retrieve the version info (e.g. for the tkn version command) without requiring permissions on any of the other resources (e.g. deployments) in the namespace.

This seems like a safe use and is covered under the guidance linked from the bulletin, see https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#detect-prevent-default

mark using the group system:authenticated as a security threat notifying their users by email notifications as well as their Security Command Center.

The rule that has been added (GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING) is specifically related to binding to the cluster-admin role which is not used here. From the linked doc:

Display name API name Log source types Description
Privilege Escalation: Creation of sensitive Kubernetes bindings GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING Cloud Audit Logs:IAM Admin Activity audit logs To escalate privilege, a potentially malicious actor attempted to create a new RoleBinding or ClusterRoleBinding object for the cluster-admin role.

@sbrawner These RoleBindings will not be disabled in 1.28. From the bulletin:

By default blocked new bindings of the highly privileged ClusterRole cluster-admin to User system:anonymous, Group system:authenticated, or Group system:unauthenticated in GKE version 1.28.

The cluster-admin ClusterRole is not referenced in these bindings, only the specific role granting "get" access on the relevant ConfigMap.

sbrawner commented 7 months ago

You're correct, apologies for the confusion.