Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2065166

Summary: GCP - Less privileged service accounts are created with Service Account User role
Product: OpenShift Container Platform Reporter: alegros
Component: Image RegistryAssignee: Oleg Bulatov <obulatov>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.6CC: aos-bugs
Target Milestone: ---   
Target Release: 4.13.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 22:46:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
GCP SA console none

Description alegros 2022-03-17 12:45:24 UTC 
Created attachment 1866436 [details]
GCP SA console

Description of problem:

Customer wants to have some explanation about the following fact. The security team is highly concerned about this and is waiting for answers for a year now.

"On GCP, the installer Service Account has a lot of permissions, as requested in the documentation. This Service Account create other service accounts for the registry, the machine operator, the masters, etc.

Why all of these less privileged service accounts are created with "Service Account User role"? This permission allows for privilege escalation (allowing them to use the highly privileged installer account) and defeat the purpose of having dedicated service accounts for privilege separation."

In this BZ I am focusing on the image registry operator. Here you can see the hard-coded role assigned to the service account: https://github.com/openshift/cluster-image-registry-operator/blob/release-4.6/manifests/01-registry-credentials-request-gcs.yaml#L17

Could you please explain why is Service Account User role necessary ? Is it expected ?

I attach a screenshot of the service accounts in customer GCP console.

Regards,
Comment 6 errata-xmlrpc 2023-05-17 22:46:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326