RFE: Make GCE and AWS EC2 images public #191
Comments
|
I can't easily/safely fix this using our automation workflows for GCE because it involves granting far to permissive IAM access to the service account. Since every PR potentially publishes new images, it's simply too large of an attack vector for me to open. AWS Images OTOH are much easier to make public, since all I need to do is remove some metadata we set with Packer. The AWS images are substantially identical to the GCP ones, at least for Fedora. |
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 7, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 7, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 9, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 9, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 9, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
cevich
added a commit
to cevich/automation_images
that referenced
this issue
Dec 9, 2022
Fixes: containers#191 On at least two occasions I can remember, users outside the containers-team have requested access to our CI VM images. Unfortunately doing this for the GCE images has some security-interest conflicts with our build automation. However, making the AWS AMI's public is rather easy to do. In fact it's the default unless they are specifically locked down. Simply remove the private restrictions and allow access to `"all"` AWS groups. Signed-off-by: Chris Evich <cevich@redhat.com>
|
Closing as "can't fix". Opening up the GCP images requires relaxing build-time security posture more than I'm willing. Opening up AWS image will swiftly run into their "max 5 public AMIs" limit. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There's no secret-sauce in our VM images. However keeping them private excludes the community from utilizing the images for auxiliary purposes. For example, leveraging GCE
compute_engine_instancein their own Cirrus-CI setup.Making images public in GCE requires a
gcloudcommand. , it cannot be done in packer. OTOH, making our AWS EC2 images public is just a change to the packer templates.Thanks to @n1hility for the suggestion and for pointing this out.
The text was updated successfully, but these errors were encountered: