Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Access Secrets Stored Outside GKE Clusters

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

To move sensitive data out of in-cluster storage, ensure that your Google Kubernetes Engine (GKE) clusters can access secrets stored outside GKE, in Google Cloud Secret Manager.

Security

Pods and services operating within Google Kubernetes Engine (GKE) clusters often require access to secrets such as database passwords or API keys. While Kubernetes provides built-in secrets management, it comes with certain limitations. Consequently, many organizations opt to safeguard the secrets used in their GKE clusters by storing them in Secret Manager. By storing secrets outside the GKE cluster's storage, you can mitigate the risk of unauthorized access in the event of a security breach.

Audit

To determine if your GKE clusters can access secrets stored within Secret Manager, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, under Overview, select Clusters to access the list with the GKE clusters provisioned within the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, copy the email address of the associated service account, available as value for the Service account attribute. Applications running on the selected cluster can use this service account to call Google Cloud APIs.

08 Navigate to Secret Manager console at https://console.cloud.google.com/security/secret-manager and select the SECRETS tab to access the Secret Manager secrets created for the selected project.

09 Click on the name (link) of the secret that you want to examine, select the PERMISSIONS tab, click inside the Filter box, and perform all the instructions listed below. Repeat this step for each Secret Manager secrets available in the selected project:

  1. Select Type and choose Service account.
  2. Select Principal, paste the email address copied at step no. 7, and press Enter.
  3. Select Role, type Secret Manager Secret Accessor, and press Enter.
  4. Select Role, type Secret Manager Secret Version Adder, and press Enter.

10 If the filtering process performed at the previous step does not return results, the service account associated with your GKE cluster does not facilitate access to Secret Manager. Consequently, the selected Kubernetes Engine (GKE) cluster cannot access Secret Manager secrets.

11 Repeat steps no. 5 – 10 for each GKE cluster created for the selected GCP project.

12 Repeat steps no. 2 – 11 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-project5-123123
cc-ai-project-112233

03 Run container clusters list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
  --project cc-project5-123123
  --format="(NAME,LOCATION)"

04 The command output should return the requested cluster names and their regions: 

NAME                     LOCATION
cc-gke-backend-cluster   us-central1
cc-gke-frontend-cluster  us-central1

05 Run container clusters describe command (Windows/macOS/Linux) using the name of the GKE cluster that you want to examine as the identifier parameter and custom query filters to describe the identifier of the service account associated with the cluster: 

gcloud container clusters describe cc-gke-backend-cluster 
  --region=us-central1 
  --format="value(nodeConfig.serviceAccount)"

06 The command output should return the service account identifier: 

cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com

07 Run secrets list command (Windows/macOS/Linux) to describe the name of each Secret Manager secret created for the selected GCP project: 

gcloud secrets list
  --project cc-project5-123123
  --format="table(name)"

08 The command output should return the name(s) of the secret(s) available within the selected GCP project: 

NAME
cc-project5-app-secret
cc-project5-db-password

09 Run secrets get-iam-policy command (Windows/macOS/Linux) with the name of the Secret Manager secret that you want to examine as the identifier parameter, to describe the IAM policy configured for the selected secret. Repeat this step for each Secret Manager secret available in the selected project: 

gcloud secrets get-iam-policy cc-project5-app-secret --format=json | jq '.bindings[]'

10 The command output should return the IAM policy defined for the secret: 

{
	"members": [
		"serviceAccount:123456789012@cloudservices.gserviceaccount.com"
	],
	"role": "roles/secretmanager.admin"
},
{
	"members": [
		"serviceAccount:secret-manager-sa@cc-project5-123123.iam.gserviceaccount.com"
	],
	"role": "roles/editor"
}

11 Search each IAM policy returned at the previous step for the service account associated with your GKE cluster, identified earlier in step 6. If the service account is not included in the IAM policy, or it lacks the following role bindings: "roles/secretmanager.secretAccessor" and "roles/secretmanager.secretVersionAdder", the service account does not facilitate access to Secret Manager. Consequently, the selected Kubernetes Engine (GKE) cluster cannot access Secret Manager secrets.

12 Repeat steps no. 5 - 11 for each GKE cluster available within the selected GCP project.

13 Repeat steps no. 3 – 12 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Kubernetes Engine (GKE) clusters can access and use Secret Manager secrets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Secret Manager console available at https://console.cloud.google.com/security/secret-manager.

04 Choose CREATE SECRET to create a Secret Manager secret to be used with your GKE cluster.

05 On the Create secret setup page, provide the secret name, the secret value, configure the secret encryption, replication policy, set the secret rotation and expiration based on your application requirements, then choose CREATE SECRET to deploy your new Secret Manager secret.

06 On the secret details page, select the PERMISSIONS tab, choose VIEW BY PRINCIPALS, and select GRANT ACCESS.

07 On the Grant access to "\" page, perform the following actions:

  1. Paste the identifier (email address) of the service account associated with your GKE cluster in the New principals box.
  2. For Assign roles, choose the Secret Manager Secret Accessor and Secret Manager Secret Version Adder roles. These roles will allow accessing the secret payload and adding new versions to the existing secret.
  3. Choose SAVE to apply the permission changes. Your Google Kubernetes Engine (GKE) cluster can now access the new Secret Manager secret.

08 Repeat steps no. 4 – 7 for each GKE cluster that you want to configure, created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run secrets create command (Windows/macOS/Linux) to create the Secret Manager secret to be used with your Google Kubernetes Engine (GKE) cluster. 

gcloud secrets create cc-readwrite-key 
  --project cc-project5-123123 
  --data-file=tmp/readwrite-key

02 The command output should return the name and the version number of the secret: 

Created version [1] of the secret [cc-readwrite-key].

03 Run secrets add-iam-policy-binding command (Windows/macOS/Linux) to add an IAM policy binding to your new Secret Manager secret. This binding will assign the Secret Manager Secret Accessor role to the service account associated with your GKE cluster. The Secret Manager Secret Accessor role will allow the cluster to access the secret payload: 

gcloud secrets add-iam-policy-binding cc-readwrite-key 
  --member='serviceAccount:cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com' 
  --role='roles/secretmanager.secretAccessor'

04 The command output should return the secret IAM policy (YAML format): 

Updated IAM policy for secret [cc-readwrite-key].
bindings:
- members:
	- serviceAccount:cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com
	role: roles/secretmanager.secretAccessor
etag: abcd1234abcd
version: 1

05 Run secrets add-iam-policy-binding command (Windows/macOS/Linux) to add a new IAM policy binding to your secret. This binding will assign the Secret Manager Secret Version Adder role to the service account associated with your GKE cluster. The Secret Manager Secret Version Adder role will allow the cluster to add new versions to your secret: 

gcloud secrets add-iam-policy-binding cc-readwrite-key 
  --member='serviceAccount:cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com' 
  --role='roles/secretmanager.secretVersionAdder'

06 The command output should return the updated IAM policy (YAML format): 

Updated IAM policy for secret [cc-readwrite-key].
bindings:
- members:
	- serviceAccount:cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com
	role: roles/secretmanager.secretAccessor
- members:
	- serviceAccount:cc-backend-cluster-sa@cc-project5-123123.iam.gserviceaccount.com
	role: roles/secretmanager.secretVersionAdder
etag: 1234abcd1234
version: 1

07 Repeat steps no. 1 – 6 for each GKE cluster that you want to configure, created for the selected GCP project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date May 3, 2024

Related GKE rules