Restricting openshift-image-registry IAM User Permissions in AWS for OCP 4.x
Issue
The default inline policy attached to the openshift-image-registry IAM user as seen below, is more permissive than will generally be required in most cases after the cluster is installed.
The policy:
- Scopes all
s3actions to the account level when most actions can be scoped to the registry instead, after it is created during the cluster installation process - Contains some actions that can be removed post cluster installation
This is a potential security concern as it does not follow the best practice of least privileged access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:HeadBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": "<registry-user-arn>"
}
]
}
Caveat
The policy attached to the openshift-image-registry IAM user is managed by the openshift-image-registry cluster operator.
This is important to note since:
-
The policy cannot be modified via the operator as doing so will require the operator to be unmanaged and in an unsupported configuration.
-
The default policy attached cannot be modified in AWS as the operator will either revert the changes or it can result in unexpected and undesired behaviours.
Environment
Red Hat OpenShift Container Platform (OCP) 4.2
Red Hat OpenShift Container Platform (OCP) 4.3
AWS (Amazon Web Services)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
