terraform-google-kubernetes-engine icon indicating copy to clipboard operation
terraform-google-kubernetes-engine copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Create least privilege default service account

Open jawnsy opened this issue 3 years ago • 2 comments

TL;DR

safer-cluster previously used GKE's recommendations for a minimal service account, but a new "Kubernetes Engine Node Service Account" has since been introduced and it may be preferable to use that instead

Terraform Resources

No response

Detailed design

Change the created service account to use the single roles/container.nodeServiceAccount role, rather than the four roles we are currently using (roles/logging.logWriter, roles/monitoring.metricWriter, roles/monitoring.viewer, roles/stackdriver.resourceMetadata.writer): https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/92d7c67bc656e1caddb9a5f3771fab54e84e1ee5/modules/beta-private-cluster-update-variant/sa.tf#L46-L71

Additional information

Changing the defaults would technically be a breaking change, but breaking changes that improve security are usually excluded from compatibility guidelines. If users want to preserve the existing behavior, they can grant the service account necessary permissions. Most clusters should not need to use the node service account for anything, instead relying on workload identity for individual service-scoped permissions

jawnsy avatar Oct 01 '22 19:10 jawnsy

Thanks for the suggestion. This is definitely something we can add and it would help maintainability too as we don't need to keep track of newer roles as the product evolves.

bharathkkb avatar Oct 06 '22 18:10 bharathkkb

@bharathkkb I'm happy to open a PR for this - are you okay with the approach of a "breaking" change of removing the now-unnecessary roles?

jawnsy avatar Oct 08 '22 20:10 jawnsy