This repository contains onboarding instructions for clients of the Darkbit Managed CSP Service. The steps provided below enable the Darkbit team and/or managed service to collect the necessary data from your GCP environment and optionally, GKE clusters.
There are two main points of collection: the GCP Cloud Asset Inventory and the Kubernetes resources inside each GKE cluster. To collect the Cloud Asset Inventory, Darkbit will provide you with a dedicated service account (email) that you can grant access at your organization level with a simple IAM binding. Exporting resources from GKE clusters involves deployment of a CronJob deployment inside the cluster with the necessary permissions granted via Workload Identity to give it permission to export the resources to a pre-provisioned GCS Bucket provided by Darkbit.
resourcemanager.organization.setIamPolicyat the org leveliam.serviceAccounts.createandiam.serviceAccounts.setIamPolicyin each GKE project- Each GKE Cluster must be running Workload Identity.
roles/container.adminorcluster-adminvia RBAC in each GKE cluster
To get started, choose whether you want to follow the manual or the terraform approach.
Skip these instructions if you plan to leverage the Terraform instructions below.
-
Manual GCP Cloud Asset Inventory
Get your GCP Organization number:
gcloud organizations list --format 'value(DISPLAY_NAME,ID)'Set the ORG_ID env variable:
export ORG_ID="111122223333"
Set the COLLECTION_SA env variable:
export COLLECTION_SA="<collection SA email provided>"
Add the provided GCP Service Account
Cloud Asset Viewerat the Organization level.gcloud organizations add-iam-policy-binding "${ORG_ID}" \ --member="serviceAccount:${COLLECTION_SA}" \ --role="roles/cloudasset.viewer"
-
Manual GKE Project
Set the PROJECT_ID env variable:
export PROJECT_ID="my-project-id"
Ensure you are configured in the correct GKE Project:
gcloud config set project "${PROJECT_ID}"
Create the GCP ServiceAccount:
gcloud iam service-accounts create darkbit-gke-exporter \ --description="Darkbit GKE Resource Exporter SA using Workload Identity" \ --display-name="Darkbit GKE Exporter"
Bind the GCP SA to this ServiceAccount for Workload Identity Integration:
gcloud iam service-accounts add-iam-policy-binding \ "darkbit-gke-exporter@${PROJECT_ID}.iam.gserviceaccount.com" \ --member="serviceAccount:${PROJECT_ID}.svc.id.goog[darkbit/darkbit]" \ --role="roles/iam.workloadIdentityUser"
Print the GCP SA:
echo "darkbit-gke-exporter@${PROJECT_ID}.iam.gserviceaccount.com"
Skip these instructions if you have performed the steps above manually.
-
Terraform GCP Cloud Asset Inventory
Follow the instructions here to implement collection of the GCP Cloud Asset Inventory at the Organization level.
-
Terraform GKE Project
Follow the instructions here in each GCP Project where GKE Clusters are present.
If you followed either the manual or Terraform instructions above, you now need to perform these steps.
- Ensure you are
cluster-adminor haveroles/container.admin(Kubernetes Engine Admin) - Ensure you have a valid kubeconfig/context pointing at the desired GKE cluster.
- Follow the instructions here for each GKE Cluster.
This repository is maintained by Darkbit.io, a cloud-native security assessment consulting firm based in the US that helps organizations understand the risks in their cloud and Kubernetes resource configurations. If you have found an issue, please file it using a GitHub issue.