Initial Auditing Configuration and Usage of the kubernetes.io GCP Organization

[hh]

As an community security auditor
I want to retrieve the iam policies and permissions for the kubernetes.io GCP organisation
In order to  provide transparency into who can access and configure community maintained resources

Given an gcloud account within the k8s-infra-gcp-auditors google group
When ./audit.sh is run and a PR created with the resulting policy changes
Then iam configuration can be peered reviewed / audited

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[hh]

Initial audit of a policy change: https://kubernetes.slack.com/messages/CCK68P2Q2/convo/C09QZ4DQB-1554150053.006600/

[thockin]

Great starting point

[thockin]

We could (once this is working as we want and once we have our cluster up) run this as a CronJob daily or even hourly, posting any deltas to slack or something

[thockin]

Rather than "kubernetes-public" shouldn't we be doing a loop over all projects?

e.g.

gcloud projects list \
    --filter "parent.id=758905017065" \
    --format "value(name, projectNumber)" \
    | while read NAME NUM; do \
        gcloud projects get-iam-policy $NAME --format=$format > $NAME.policy.$format
        gcloud iam roles list --project=$NAME --format=$format > $NAME.roles.$format
    done

[thockin]

Also, I vote for JSON - much easier to visually verify

[hh]

Currently doing json and yaml, I can remove yaml if you like.

[thockin]

Do we need to audit the contents of buckets, or just permissions? This will trigger a lot of updates -- e.g. billing is dumped at least daily.

[hh]

Just permissions are fine, I think there are object/file/folder specific permissions that can be set.
We may need a way to capture these or set a remove the ability to set per file perms and only have bucket level.
Thoughts?

[thockin]

Ping on this. As we start expanding scope, the fully formed version of this would make me feel better...

[spiffxp]

@thockin to take a final pass on this

[hh]

@thockin Can we add 'gcloud.organizations.describe' to the k8s-infra-gcp-auditors?

[thockin]

That's not the permission name. I added 'Organization Viewer' which seems to have the right permissions. Try it and let me know?

[thockin]

did you try this again?

[hh]

Note that the dev-cluster-turnup has a many more services enabled than our primary one.

[hh]

We do a bit of iterating over the services. How far do we want to dig into the configuration of each.

[thockin]

I am less concerned about service configs than IAM and access.

[hh]

Understood. Dumping the entire config is a bit out of scope, but I added it the documentation/TODO completeness later.

[spiffxp]

/cc

[thockin]

Can we get a form of this committed soon, so we can use it as we turn more things on? Then iterate..

[spiffxp]

this has grown quite a lot, do we need to open up a new PR?

[spiffxp]

@thockin @hh WDYT about merging this as-is and iterating from there?

[hh]

Since adding a few new projects the case statement iterating over services has more unhandled services.

cat log.mkd | grep Unhandled | sort | uniq
# Unhandled Service admin #
# Unhandled Service bigtable #
# Unhandled Service bigtableadmin #
# Unhandled Service cloudapis #
# Unhandled Service cloudbuild #
# Unhandled Service clouddebugger #
# Unhandled Service cloudresourcemanager #
# Unhandled Service cloudscheduler #
# Unhandled Service cloudtrace #
# Unhandled Service container #
# Unhandled Service containeranalysis #
# Unhandled Service containerregistry #
# Unhandled Service containerscanning #
# Unhandled Service datastore #
# Unhandled Service groupssettings #
# Unhandled Service iam #
# Unhandled Service iamcredentials #
# Unhandled Service pubsub #
# Unhandled Service servicemanagement #
# Unhandled Service serviceusage #
# Unhandled Service sql-component #
# Unhandled Service stackdriver #

[hh]

These are the new perms and the commands are commented out in audit-gcp under each TODO:

TODO: compute Needs compute.projects.get
TODO: Ensure bucket-policy-only, for simplicity in Auditing
TODO: logging needs serviceusage.services.use
TODO: monitoring needs serviceusage.services.use
TODO: storage-api needs storage.buckets.get for auditors
TODO: Verify how Big Query is configured / audited
TODO: Verify how OS Login is configured / audited

[hh]

I'm keen with merging as is and evolving.

[spiffxp]

/approve
/lgtm
/hold
I'm going to leave the /hold cancel to @thockin

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[thockin]

Mostly very minor comments - would love to get this in and then do a group review of the data.

[thockin]

You could source infra/gcp/lib.sh if there are any more utilities to re-use. This is unlikely to change :)

[thockin]

did you try this again?

[thockin]

need copyright header

[thockin]

Since this assumes CWD is the script's root, maybe we should check that and print a warning if it is not?

[thockin]

We do set bucketpolicyonly now. We do not set logging and we do not set cors. Should we?

[thockin]

We probably should not be dumping bucket contents or VM names or anything that is likely to be constantly changing. Unlikely that any 2 audits could produce the same data for this.

[thockin]

We should not do this - it will be always changing

[thockin]

we should not list VMs - they will change as clusters get upgraded

[thockin]

disks are somewhat dubiously useful, too. Clusters seems OK

[thockin]

same as above - audit should catch metadata, not data

[thockin]

graveyard is going away, so we can nuke all these files

[dims]

/assign @hh

[spiffxp]

merge and iterate

[thockin]

Ping - I think it's back in your court, @hh

[hh]

/hold

[hh]

/hold cancel

[hh]

/retest