Solved: Security Concerns: GKE_RUN_AS_NONROOT and GKE_PRIV...

karol_ursa · 11-01-2024 12:41 PM

We have received two findings in the Security Command Center (SCC) for our Google Composer environment, which is managed by Google. Since we do not have control over the deployment manifests, we are unable to modify configurations to address these security findings. The details are as follows:

1. GKE_RUN_AS_NONROOT:

* Description: Containers are configured to allow root user access. Running containers as root increases the risk of container escape.

* Affected Components: Airflow components in Composer, including airflow-worker, airflow-scheduler, airflow-triggerer, airflow-webserver, and airflow-database-init-job.

* Recommended Next Steps from SCC: Modify manifests to set runAsNonRoot to true.

2. GKE_PRIVILEGE_ESCALATION:

* Description: Certain containers allow privilege escalation, which can increase the risk of unauthorized access or control.

* Affected Components: The same Composer-managed Airflow components.

* Recommended Next Steps from SCC: Modify manifests to set allowPrivilegeEscalation to false.

Request for Assistance: 

Since these deployments are managed, we would like guidance on how to address these security concerns. Please advise if Google has a mitigation plan or can provide alternative recommendations for managed Composer environments

greb

Hi @karol_ursa,

Welcome to Google Cloud Community!

Given that Google Composer is a fully managed service, addressing these findings directly within your environment isn’t feasible. Here are some recommendations to move forward:

Contact Google Cloud Support: Since you can’t modify the manifests yourself, reaching out to Google Cloud Support is your best option. They can provide guidance on Composer’s security roadmap and confirm if updates are planned to address these findings.
Enable Workload Identity (if not already enabled): This improves security by allowing Composer workloads to use service accounts securely. You may need Google Support to help set it up.
Limit Network Access: Set firewall rules or use private service access for Composer to reduce exposure.
Review SCC and IAM Policies: Ensure Composer roles follow least-privilege principles by auditing and limiting permissions to only what's essential.

Implementing these security measures may reduce some risk factors while awaiting Google’s action on these findings in their managed Composer environment.

I hope the above information is helpful.

View solution in original post

greb

Hi @karol_ursa,

Welcome to Google Cloud Community!

Given that Google Composer is a fully managed service, addressing these findings directly within your environment isn’t feasible. Here are some recommendations to move forward:

Contact Google Cloud Support: Since you can’t modify the manifests yourself, reaching out to Google Cloud Support is your best option. They can provide guidance on Composer’s security roadmap and confirm if updates are planned to address these findings.
Enable Workload Identity (if not already enabled): This improves security by allowing Composer workloads to use service accounts securely. You may need Google Support to help set it up.
Limit Network Access: Set firewall rules or use private service access for Composer to reduce exposure.
Review SCC and IAM Policies: Ensure Composer roles follow least-privilege principles by auditing and limiting permissions to only what's essential.

Implementing these security measures may reduce some risk factors while awaiting Google’s action on these findings in their managed Composer environment.

I hope the above information is helpful.

karol_ursa

Thank you @greb ! I will proceed as you recommended

Security Concerns: GKE_RUN_AS_NONROOT and GKE_PRIVILEGE_ESCALATION Findings in Google Composer Manag