Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricting kms permissions #16741

Open
lumoVWGS opened this issue Aug 7, 2024 · 2 comments
Open

Restricting kms permissions #16741

lumoVWGS opened this issue Aug 7, 2024 · 2 comments

Comments

@lumoVWGS
Copy link

lumoVWGS commented Aug 7, 2024
edited
Loading

1. Describe IN DETAIL the feature/behavior/change you would like to see.

          As discussed @chrislovecnm
  1. kms should be locked down to the relevant resource (ideally use the cluster names resource).
  2. route53 changesets not required for nodes only masters.
  3. s3:* should be avoided and have explicit rules.
  4. use sids so we can reference sections and indicate the statements use.
  5. master missing elasticloadbalancing:AddTags + elasticloadbalancing:DescribeTags, elasticloadbalancing:RemoveTags

Originally posted by @ajohnstone in #1873 (comment)

This has been discussed quite some time ago. Ressource wildcard permissions are given for kms:Decrypt and other kms transactions in the masters iam role (see link below), as well as in the ebs role, that is set up if awsEBSCSIDriver is enabled (policy for the service account the ebs-csi-controller is using):

kops/pkg/model/iam/tests/iam_builder_master_strict_ecr.json

Line 149 in 26963dd

"Resource": "*"

This is generating a lot of alerts on security scanners, as the current settings allow the decrypt action with every kms key available in the account.

As the kms keys for ebs, s3 etc. can be referenced by an alias arn as well (for example: arn:aws:kms:::alias/aws/s3), maybe it is possible to restrict the policy to the kms-keys for the according services needed?

2. Feel free to provide a design supporting your feature request.

Example:
{
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:GenerateRandom",
"kms:ReEncrypt*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:kms:::alias/aws/s3",
"arn:aws:kms:::alias/aws/ebs"
]
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 5, 2024
@lumoVWGS
Copy link
Author

lumoVWGS commented Nov 8, 2024

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@k8s-ci-robot @k8s-triage-robot @lumoVWGS