Created attachment 1866436 [details] GCP SA console Description of problem: Customer wants to have some explanation about the following fact. The security team is highly concerned about this and is waiting for answers for a year now. "On GCP, the installer Service Account has a lot of permissions, as requested in the documentation. This Service Account create other service accounts for the registry, the machine operator, the masters, etc. Why all of these less privileged service accounts are created with "Service Account User role"? This permission allows for privilege escalation (allowing them to use the highly privileged installer account) and defeat the purpose of having dedicated service accounts for privilege separation." In this BZ I am focusing on the image registry operator. Here you can see the hard-coded role assigned to the service account: https://github.com/openshift/cluster-image-registry-operator/blob/release-4.6/manifests/01-registry-credentials-request-gcs.yaml#L17 Could you please explain why is Service Account User role necessary ? Is it expected ? I attach a screenshot of the service accounts in customer GCP console. Regards,
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1326