Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression: core-landing-zone v0.3.2 has an IAMPartialPolicy:security-log-bucket-writer-permissions has an unmet LoggingLogSink dependency #586

Open
obriensystems opened this issue Oct 21, 2023 · 2 comments
Open

Regression: core-landing-zone v0.3.2 has an IAMPartialPolicy:security-log-bucket-writer-permissions has an unmet LoggingLogSink dependency #586

obriensystems opened this issue Oct 21, 2023 · 2 comments
Assignees
@fmichaelobrien
Labels
developer-experience documentation Improvements or additions to documentation fortinet regression

Comments

@obriensystems
Copy link
Collaborator

obriensystems commented Oct 21, 2023
edited
Loading

No direct changes to the package since it last worked 60 days ago - revisiting values.yaml edits
Reference #446
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/org/org-sink.yaml#L18
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/core-landing-zone/lz-folder/audits/logging-project/project-iam.yaml#L20

related to #584
automation: https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh#L236

before
root_@cloudshell:~/kcc-kls/lz-20230803 (kcc-kls-cluster3)$ kubectl get gcp -n projects
NAME                                                                              AGE   READY   STATUS     STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config   67d   True    UpToDate   67d

NAME                                                                                                                   AGE   READY   STATUS     STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   67d   True    UpToDate   67d
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         67d   True    UpToDate   67d
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               67d   True    UpToDate   67d
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      67d   True    UpToDate   67d

NAME                                                                AGE   READY   STATUS     STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/logging-project-kls   68d   True    UpToDate   17h

latest 0.3.2
michael@cloudshell:~/kcc-oi/kpt (kcc-oi-629)$ kubectl get gcp -n projects
NAME                                                                              AGE     READY   STATUS     STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config   5h32m   True    UpToDate   5h32m

NAME                                                                                                                   AGE     READY   STATUS               STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   5h32m   False   DependencyNotFound   5h32m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         5h32m   False   DependencyNotFound   5h32m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               5h32m   False   DependencyNotFound   5h32m
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      5h32m   False   DependencyNotFound   5h32m

NAME                                                               AGE     READY   STATUS     STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/dns-project-oi       5h32m   True    UpToDate   5h31m
project.resourcemanager.cnrm.cloud.google.com/logging-project-oi   5h34m   True    UpToDate   5h32m

michael@cloudshell:~/kcc-oi/kpt (kcc-oi-629)$ kubectl describe iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions -n projects
Name:         security-log-bucket-writer-permissions
Namespace:    projects
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              config.k8s.io/owning-inventory: 19949defd55b6056ef347db3476403624fa08e71-1697900104974084255
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-oi
              internal.kpt.dev/upstream-identifier: iam.cnrm.cloud.google.com|IAMPartialPolicy|projects|security-log-bucket-writer-permissions
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMPartialPolicy
Metadata:
  Creation Timestamp:  2023-10-21T14:58:10Z
  Generation:          1
  Resource Version:    61577
  UID:                 b4c6e982-c0b2-48d5-8699-bc62ce249673
Spec:
  Bindings:
    Members:
      Member From:
        Log Sink Ref:
          Name:       logging-project-oi-security-sink
          Namespace:  logging
    Role:             roles/logging.bucketWriter
  Resource Ref:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Kind:         Project
    Name:         logging-project-oi
    Namespace:    projects
Status:
  Conditions:
    Last Transition Time:  2023-10-21T14:58:11Z
    Message:               reference LoggingLogSink logging/logging-project-oi-security-sink is not found
    Reason:                DependencyNotFound
    Status:                False
    Type:                  Ready
  Observed Generation:     1
Events:
  Type     Reason              Age                   From                         Message
  ----     ------              ----                  ----                         -------
  Warning  DependencyNotFound  71s (x35 over 5h35m)  iampartialpolicy-controller  reference LoggingLogSink logging/logging-project-oi-security-sink is not found
  
 the sink is there though
@obriensystems obriensystems mentioned this issue Oct 21, 2023
Open
@fmichaelobrien fmichaelobrien self-assigned this Oct 21, 2023
@fmichaelobrien fmichaelobrien added documentation Improvements or additions to documentation developer-experience regression labels Oct 21, 2023
@obriensystems obriensystems mentioned this issue Oct 21, 2023
Open
@obriensystems
Copy link
Collaborator Author

reran a clean install on a clean org using the script in
this is v0.3.2 not main
https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh
#446
generated setters version
#446 (comment)
results

root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubens config-control
Context "gke_kcc-boot-ls-8704_northamerica-northeast1_krmapihost-kcc-oi4" modified.
Active namespace is "config-control".
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp
NAME                                                                AGE   READY   STATUS     STATUS AGE
iamcustomrole.iam.cnrm.cloud.google.com/gke-firewall-admin          31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-dnsrecord-admin       31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier2-vpcpeering-admin      31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-dnsrecord-admin       31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-firewallrule-admin    31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-subnetwork-admin      31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier3-vpcsc-admin           31m   True    UpToDate   31m
iamcustomrole.iam.cnrm.cloud.google.com/tier4-secretmanager-admin   31m   True    UpToDate   31m

NAME                                                                                       AGE   READY   STATUS     STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-workload-identity-binding   31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/hierarchy-sa-workload-identity-binding          31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/logging-sa-workload-identity-binding            31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/networking-sa-workload-identity-binding         31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/policies-sa-workload-identity-binding           31m   True    UpToDate   31m
iampartialpolicy.iam.cnrm.cloud.google.com/projects-sa-workload-identity-binding           31m   True    UpToDate   30m

NAME                                                                                                             AGE   READY   STATUS     STATUS AGE
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-editor-permissions                31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-management-project-serviceaccountadmin-permissions   31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/config-control-sa-orgroleadmin-permissions                             31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/gatekeeper-admin-sa-metric-writer-permissions                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/hierarchy-sa-folderadmin-permissions                                   31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-bigqueryadmin-permissions                                   31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/logging-sa-logadmin-permissions                                        31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-dns-permissions                                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-networkadmin-permissions                                 31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-security-permissions                                     31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-service-control-org-permissions                          31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-servicedirectoryeditor-permissions                       31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/networking-sa-xpnadmin-permissions                                     31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/policies-sa-orgpolicyadmin-permissions                                 31m   True    UpToDate   31m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-billinguser-permissions                                    31m   True    UpToDate   30m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectcreator-permissions                                 31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectdeleter-permissions                                 31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectiamadmin-permissions                                31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-projectmover-permissions                                   31m   True    UpToDate   29m
iampolicymember.iam.cnrm.cloud.google.com/projects-sa-serviceusageadmin-permissions                              31m   True    UpToDate   29m

NAME                                                              AGE   READY   STATUS     STATUS AGE
iamserviceaccount.iam.cnrm.cloud.google.com/gatekeeper-admin-sa   31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/hierarchy-sa          31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/logging-sa            31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/networking-sa         31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/policies-sa           31m   True    UpToDate   31m
iamserviceaccount.iam.cnrm.cloud.google.com/projects-sa           31m   True    UpToDate   30m

NAME                                                                               AGE   READY   STATUS     STATUS AGE
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-accesscontextmanager   31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-cloudbilling           31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-cloudresourcemanager   31m   True    UpToDate   31m
service.serviceusage.cnrm.cloud.google.com/kcc-boot-ls-8704-serviceusage           31m   True    UpToDate   31m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get projects
No resources found in config-control namespace.
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n projects
NAME                                                                              AGE   READY   STATUS     STATUS AGE
iamauditconfig.iam.cnrm.cloud.google.com/logging-project-data-access-log-config   24m   True    UpToDate   24m

NAME                                                                                                                   AGE   READY   STATUS               STATUS AGE
iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions   24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-infra-log-bucket-writer-permissions         24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/platform-and-component-services-log-bucket-writer-permissions               24m   False   DependencyNotFound   24m
iampartialpolicy.iam.cnrm.cloud.google.com/security-log-bucket-writer-permissions                                      24m   False   DependencyNotFound   24m

NAME                                                                AGE   READY   STATUS     STATUS AGE
project.resourcemanager.cnrm.cloud.google.com/dns-project-ls4       24m   True    UpToDate   21m
project.resourcemanager.cnrm.cloud.google.com/logging-project-ls4   30m   True    UpToDate   24m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n hierarchy
NAME                                                                   AGE   READY   STATUS     STATUS AGE
folder.resourcemanager.cnrm.cloud.google.com/audits                    31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/clients                   31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/services                  31m   True    UpToDate   28m
folder.resourcemanager.cnrm.cloud.google.com/services-infrastructure   31m   True    UpToDate   28m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n logging
NAME                                                                                   AGE   READY   STATUS     STATUS AGE
logginglogbucket.logging.cnrm.cloud.google.com/platform-and-component-log-bucket-ls4   25m   True    UpToDate   25m
logginglogbucket.logging.cnrm.cloud.google.com/security-log-bucket-ls4                 25m   True    UpToDate   25m

NAME                                                                                       AGE   READY   STATUS     STATUS AGE
logginglogsink.logging.cnrm.cloud.google.com/mgmt-project-cluster-disable-default-bucket   25m   True    UpToDate   25m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n networking
No resources found in networking namespace.
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get namespaces
NAME                              STATUS   AGE
cnrm-system                       Active   53m
config-control                    Active   53m
config-management-monitoring      Active   54m
config-management-system          Active   54m
configconnector-operator-system   Active   54m
default                           Active   60m
gatekeeper-system                 Active   52m
gke-gmp-system                    Active   59m
gke-managed-filestorecsi          Active   59m
gmp-public                        Active   59m
hierarchy                         Active   33m
krmapihosting-monitoring          Active   54m
krmapihosting-system              Active   57m
kube-node-lease                   Active   60m
kube-public                       Active   60m
kube-system                       Active   60m
logging                           Active   33m
networking                        Active   33m
policies                          Active   33m
projects                          Active   33m
resource-group-system             Active   52m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl get gcp -n policies
NAME                                                                                                         AGE   READY   STATUS     STATUS AGE
resourcemanagerpolicy.resourcemanager.cnrm.cloud.google.com/compute-require-shielded-vm-except-mgt-project   32m   True    UpToDate   30m
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ 


root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$ kubectl describe iampartialpolicy.iam.cnrm.cloud.google.com/mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions -n projects
Name:         mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
Namespace:    projects
Labels:       <none>
Annotations:  cnrm.cloud.google.com/blueprint: kpt-pkg-fn-live
              config.k8s.io/owning-inventory: aa4fc298b6221cdddd79610cf49717502ca36ce7-1697985197779920990
              config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/projects/Project/logging-project-ls4
              internal.kpt.dev/upstream-identifier:
                iam.cnrm.cloud.google.com|IAMPartialPolicy|projects|mgmt-project-cluster-platform-and-component-log-bucket-writer-permissions
API Version:  iam.cnrm.cloud.google.com/v1beta1
Kind:         IAMPartialPolicy
Metadata:
  Creation Timestamp:  2023-10-22T14:40:40Z
  Generation:          1
  Resource Version:    33727
  UID:                 fbc7777f-bea5-4cfa-a2a5-fa5ee016be01
Spec:
  Bindings:
    Members:
      Member From:
        Log Sink Ref:
          Name:       mgmt-project-cluster-platform-and-component-log-sink
          Namespace:  logging
    Role:             roles/logging.bucketWriter
  Resource Ref:
    API Version:  resourcemanager.cnrm.cloud.google.com/v1beta1
    Kind:         Project
    Name:         logging-project-ls4
    Namespace:    projects
Status:
  Conditions:
    Last Transition Time:  2023-10-22T14:40:40Z
    Message:               reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
    Reason:                DependencyNotFound
    Status:                False
    Type:                  Ready
  Observed Generation:     1
Events:
  Type     Reason              Age                  From                         Message
  ----     ------              ----                 ----                         -------
  Warning  DependencyNotFound  2m42s (x4 over 28m)  iampartialpolicy-controller  reference LoggingLogSink logging/mgmt-project-cluster-platform-and-component-log-sink is not found
root_@cloudshell:~/pdt-ls/obriensystems/pubsec-declarative-toolkit/solutions (kcc-boot-ls-8704)$

@obriensystems
Copy link
Collaborator Author

Screenshot 2023-10-22 at 11 15 24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmichaelobrien fmichaelobrien

Labels
developer-experience documentation Improvements or additions to documentation fortinet regression
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@obriensystems @fmichaelobrien