gke/ERR/2021_001 & gke/ERR/2021_002 are using old recommendations

[m3adow]

gke/ERR/2021_001 is checking if GKE node service accounts have a role binding for roles/logging.logWriter, gke/ERR/2021_002 is doing the same for roles/monitoring.metricWriter. The referenced hardening guide used the roles/container.defaultNodeServiceAccount role which is sufficient.

In my opinion the rules should either check for the specific permissions or they should be consolidated into one rule checking for the permissions of the roles/container.defaultNodeServiceAccount role.

I would be willing to work on the changes, just need a hint which direction to go.

[ebenezergraham]

Thank you for highlighting this enhancement. Please implement a new rule to merge gke/ERR/2021_001 & gke/ERR/2021_002 we can deprecate gke/ERR/2021_001 & gke/ERR/2021_002 in later releases if required.

The new rule should verify that the GKE node's service account possesses permissions present in roles/container.defaultNodeServiceAccount

This approach should cover cases where service has roles such as roles/logging.logWriter, roles/monitoring.metricWriter, roles/container.defaultNodeServiceAccount, custom roles etc with equivalent recommended permissions.