diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json index 1de2c23f86d..ca100d93c6e 100644 --- a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json +++ b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json @@ -39,6 +39,12 @@ "group:k8s-infra-artifact-admins@kubernetes.io" ], "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "group:k8s-infra-gcs-access-logs@kubernetes.io" + ], + "role": "roles/storage.objectViewer" } ] } diff --git a/audit/projects/k8s-artifacts-prod/iam.json b/audit/projects/k8s-artifacts-prod/iam.json index a3e956027ac..896a4e01039 100644 --- a/audit/projects/k8s-artifacts-prod/iam.json +++ b/audit/projects/k8s-artifacts-prod/iam.json @@ -39,12 +39,24 @@ ], "role": "roles/errorreporting.user" }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/errorreporting.writer" + }, { "members": [ "serviceAccount:service-388270116193@gcp-sa-pubsub.iam.gserviceaccount.com" ], "role": "roles/iam.serviceAccountTokenCreator" }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/logging.logWriter" + }, { "members": [ "group:k8s-infra-artifact-admins@kubernetes.io" diff --git a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json new file mode 100644 index 00000000000..fc757ae1113 --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "displayName": "k8s-infra container image auditor", + "email": "k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", + "name": "projects/k8s-artifacts-prod/serviceAccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", + "oauth2ClientId": "113024649066440988760", + "projectId": "k8s-artifacts-prod", + "uniqueId": "113024649066440988760" +} diff --git a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json new file mode 100644 index 00000000000..cbc2f350095 --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/iam.serviceAccountUser" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-artifacts-prod/services/enabled.txt b/audit/projects/k8s-artifacts-prod/services/enabled.txt index f2d2bfe53e5..7c8d574d15d 100644 --- a/audit/projects/k8s-artifacts-prod/services/enabled.txt +++ b/audit/projects/k8s-artifacts-prod/services/enabled.txt @@ -9,6 +9,7 @@ cloudtrace.googleapis.com Cloud Trace API compute.googleapis.com Compute Engine API containeranalysis.googleapis.com Container Analysis API containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API datastore.googleapis.com Cloud Datastore API logging.googleapis.com Cloud Logging API monitoring.googleapis.com Cloud Monitoring API diff --git a/audit/projects/k8s-infra-prow-build-trusted/iam.json b/audit/projects/k8s-infra-prow-build-trusted/iam.json index 36ec27a7718..8f862edf9e8 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/iam.json +++ b/audit/projects/k8s-infra-prow-build-trusted/iam.json @@ -4,7 +4,7 @@ "members": [ "group:k8s-infra-cluster-admins@kubernetes.io" ], - "role": "projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister" + "role": "organizations/758905017065/roles/iam.serviceAccountLister" }, { "members": [ diff --git a/audit/projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister.json b/audit/projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister.json deleted file mode 100644 index 16888cdb33f..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Can list ServiceAccounts.", - "includedPermissions": [ - "iam.serviceAccounts.list" - ], - "name": "projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister", - "stage": "GA", - "title": "Service Account Lister" -} diff --git a/audit/projects/k8s-infra-prow-build/iam.json b/audit/projects/k8s-infra-prow-build/iam.json index f7febb55455..fe760968b51 100644 --- a/audit/projects/k8s-infra-prow-build/iam.json +++ b/audit/projects/k8s-infra-prow-build/iam.json @@ -2,15 +2,15 @@ "bindings": [ { "members": [ - "group:k8s-infra-prow-viewers@kubernetes.io" + "group:k8s-infra-cluster-admins@kubernetes.io" ], - "role": "organizations/758905017065/roles/prow.viewer" + "role": "organizations/758905017065/roles/iam.serviceAccountLister" }, { "members": [ - "group:k8s-infra-cluster-admins@kubernetes.io" + "group:k8s-infra-prow-viewers@kubernetes.io" ], - "role": "projects/k8s-infra-prow-build/roles/ServiceAccountLister" + "role": "organizations/758905017065/roles/prow.viewer" }, { "members": [ diff --git a/audit/projects/k8s-infra-prow-build/roles/ServiceAccountLister.json b/audit/projects/k8s-infra-prow-build/roles/ServiceAccountLister.json deleted file mode 100644 index a8de264731c..00000000000 --- a/audit/projects/k8s-infra-prow-build/roles/ServiceAccountLister.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Can list ServiceAccounts.", - "includedPermissions": [ - "iam.serviceAccounts.list" - ], - "name": "projects/k8s-infra-prow-build/roles/ServiceAccountLister", - "stage": "GA", - "title": "Service Account Lister" -} diff --git a/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/bucketpolicyonly.txt b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/bucketpolicyonly.txt new file mode 100644 index 00000000000..64f2f758049 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://artifacts.k8s-staging-test-infra.appspot.com: + Enabled: True + LockedTime: 2021-08-02 20:28:08.351000+00:00 + diff --git a/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/cors.txt b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/cors.txt new file mode 100644 index 00000000000..78c1078836c --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/cors.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-test-infra.appspot.com/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/iam.json b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/iam.json new file mode 100644 index 00000000000..704b80d1469 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-test-infra", + "projectOwner:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/logging.txt b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/logging.txt new file mode 100644 index 00000000000..50aee2d2f77 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/logging.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-test-infra.appspot.com/ has no logging configuration. diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/bucketpolicyonly.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/bucketpolicyonly.txt new file mode 100644 index 00000000000..336d05359fe --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-test-infra-gcb: + Enabled: True + LockedTime: 2021-08-02 20:29:19.330000+00:00 + diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/cors.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/cors.txt new file mode 100644 index 00000000000..f1a7b1b78f6 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-test-infra-gcb/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/iam.json b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/iam.json new file mode 100644 index 00000000000..e24020c3b6f --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/iam.json @@ -0,0 +1,46 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-test-infra", + "projectOwner:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectCreator" + }, + { + "members": [ + "allUsers", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/logging.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/logging.txt new file mode 100644 index 00000000000..f62781fbdf9 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-test-infra-gcb/ has no logging configuration. diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/bucketpolicyonly.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/bucketpolicyonly.txt new file mode 100644 index 00000000000..85cd164d5a4 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-test-infra: + Enabled: True + LockedTime: 2021-08-02 20:28:41.006000+00:00 + diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/cors.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/cors.txt new file mode 100644 index 00000000000..20035db8f0d --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-test-infra/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/iam.json b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/iam.json new file mode 100644 index 00000000000..704b80d1469 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-test-infra", + "projectOwner:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-test-infra" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/logging.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/logging.txt new file mode 100644 index 00000000000..3d223481fb0 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-test-infra/ has no logging configuration. diff --git a/audit/projects/k8s-staging-test-infra/description.json b/audit/projects/k8s-staging-test-infra/description.json new file mode 100644 index 00000000000..342d4d20ca7 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/description.json @@ -0,0 +1,11 @@ +{ + "createTime": "2021-05-04T20:26:34.947Z", + "lifecycleState": "ACTIVE", + "name": "k8s-staging-test-infra", + "parent": { + "id": "758905017065", + "type": "organization" + }, + "projectId": "k8s-staging-test-infra", + "projectNumber": "958928310150" +} diff --git a/audit/projects/k8s-staging-test-infra/iam.json b/audit/projects/k8s-staging-test-infra/iam.json new file mode 100644 index 00000000000..14303ace7d2 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/iam.json @@ -0,0 +1,68 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:958928310150@cloudbuild.gserviceaccount.com", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.builds.builder" + }, + { + "members": [ + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/cloudbuild.builds.editor" + }, + { + "members": [ + "serviceAccount:service-958928310150@gcp-sa-cloudbuild.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-958928310150@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.occurrences.viewer" + }, + { + "members": [ + "serviceAccount:service-958928310150@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/containerregistry.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-958928310150@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-958928310150@gcp-sa-pubsub.iam.gserviceaccount.com" + ], + "role": "roles/pubsub.serviceAgent" + }, + { + "members": [ + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/serviceusage.serviceUsageConsumer" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-test-infra@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-staging-test-infra/services/enabled.txt b/audit/projects/k8s-staging-test-infra/services/enabled.txt new file mode 100644 index 00000000000..30cdd842f18 --- /dev/null +++ b/audit/projects/k8s-staging-test-infra/services/enabled.txt @@ -0,0 +1,11 @@ +NAME TITLE +cloudbuild.googleapis.com Cloud Build API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +containeranalysis.googleapis.com Container Analysis API +containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API +logging.googleapis.com Cloud Logging API +pubsub.googleapis.com Cloud Pub/Sub API +secretmanager.googleapis.com Secret Manager API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json index e7a8b50cc54..af83abe0e04 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json @@ -2,14 +2,14 @@ "bindings": [ { "members": [ - "group:k8s-infra-gcp-org-admins@kubernetes.io" + "group:k8s-infra-gcp-org-admins@kubernetes.io", + "user:spiffxp@google.com" ], "role": "roles/storage.admin" }, { "members": [ "group:k8s-infra-cluster-admins@kubernetes.io", - "projectEditor:kubernetes-public", "projectOwner:kubernetes-public" ], "role": "roles/storage.legacyBucketOwner" diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json index ea3a2fe8d8f..579dfa0f210 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json @@ -9,7 +9,6 @@ { "members": [ "group:k8s-infra-aws-admins@kubernetes.io", - "projectEditor:kubernetes-public", "projectOwner:kubernetes-public" ], "role": "roles/storage.legacyBucketOwner" diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json index 12a86c118fe..bfbb68a19a3 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json @@ -9,7 +9,6 @@ { "members": [ "group:k8s-infra-prow-oncall@kubernetes.io", - "projectEditor:kubernetes-public", "projectOwner:kubernetes-public" ], "role": "roles/storage.legacyBucketOwner" diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json index e7a8b50cc54..de375d736d4 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json @@ -9,7 +9,6 @@ { "members": [ "group:k8s-infra-cluster-admins@kubernetes.io", - "projectEditor:kubernetes-public", "projectOwner:kubernetes-public" ], "role": "roles/storage.legacyBucketOwner" diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-sandbox-ii/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-sandbox-ii/iam.json index 4b342bd9c8c..eb8b2f632e8 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-sandbox-ii/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-sandbox-ii/iam.json @@ -9,7 +9,6 @@ { "members": [ "group:k8s-infra-ii-coop@kubernetes.io", - "projectEditor:kubernetes-public", "projectOwner:kubernetes-public" ], "role": "roles/storage.legacyBucketOwner" diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json index 1a17bda12a3..7a3c27c4b5f 100644 --- a/audit/projects/kubernetes-public/iam.json +++ b/audit/projects/kubernetes-public/iam.json @@ -116,6 +116,7 @@ { "members": [ "group:gke-security-groups@kubernetes.io", + "serviceAccount:gke-nodes-aaa@kubernetes-public.iam.gserviceaccount.com", "serviceAccount:k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com" ], "role": "roles/monitoring.viewer" @@ -143,6 +144,12 @@ "group:k8s-infra-cluster-admins@kubernetes.io" ], "role": "roles/stackdriver.accounts.viewer" + }, + { + "members": [ + "serviceAccount:k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com" + ], + "role": "roles/viewer" } ], "version": 1 diff --git a/audit/projects/kubernetes-public/service-accounts/k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com/description.json b/audit/projects/kubernetes-public/service-accounts/k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com/description.json index d1d2ce0501e..6874244f3f0 100644 --- a/audit/projects/kubernetes-public/service-accounts/k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com/description.json +++ b/audit/projects/kubernetes-public/service-accounts/k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com/description.json @@ -1,5 +1,5 @@ { - "displayName": "k8s-infra dns updater", + "displayName": "k8s-infra-dns-updater", "email": "k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com", "name": "projects/kubernetes-public/serviceAccounts/k8s-infra-dns-updater@kubernetes-public.iam.gserviceaccount.com", "oauth2ClientId": "103924646831481972185", diff --git a/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/description.json b/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/description.json index 498e656e689..2fdea8a941a 100644 --- a/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/description.json +++ b/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/description.json @@ -1,5 +1,5 @@ { - "displayName": "Grants readonly access to org resources", + "displayName": "k8s-infra-gcp-auditor", "email": "k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com", "name": "projects/kubernetes-public/serviceAccounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com", "oauth2ClientId": "114307448815736377866", diff --git a/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/iam.json b/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/iam.json index 06b09be5633..762f06cb018 100644 --- a/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/iam.json +++ b/audit/projects/kubernetes-public/service-accounts/k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com/iam.json @@ -2,8 +2,7 @@ "bindings": [ { "members": [ - "serviceAccount:k8s-infra-prow-build-trusted.svc.id.goog[test-pods/k8s-infra-gcp-auditor]", - "serviceAccount:kubernetes-public.svc.id.goog[test-pods/k8s-infra-gcp-auditor]" + "serviceAccount:k8s-infra-prow-build-trusted.svc.id.goog[test-pods/k8s-infra-gcp-auditor]" ], "role": "roles/iam.workloadIdentityUser" } diff --git a/audit/projects/kubernetes-public/service-accounts/k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com/description.json b/audit/projects/kubernetes-public/service-accounts/k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com/description.json index d00f34e95b6..3651abde308 100644 --- a/audit/projects/kubernetes-public/service-accounts/k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com/description.json +++ b/audit/projects/kubernetes-public/service-accounts/k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com/description.json @@ -1,5 +1,5 @@ { - "displayName": "k8s-infra monitoring viewer", + "displayName": "k8s-infra-monitoring-viewer", "email": "k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com", "name": "projects/kubernetes-public/serviceAccounts/k8s-infra-monitoring-viewer@kubernetes-public.iam.gserviceaccount.com", "oauth2ClientId": "109438172956774474706", diff --git a/audit/projects/kubernetes-public/service-accounts/kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com/description.json b/audit/projects/kubernetes-public/service-accounts/kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com/description.json index 40d90557281..16dd42e0450 100644 --- a/audit/projects/kubernetes-public/service-accounts/kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com/description.json +++ b/audit/projects/kubernetes-public/service-accounts/kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com/description.json @@ -1,5 +1,5 @@ { - "displayName": "Kubernetes External Secrets Service Account", + "displayName": "kubernetes-external-secrets", "email": "kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com", "name": "projects/kubernetes-public/serviceAccounts/kubernetes-external-secrets@kubernetes-public.iam.gserviceaccount.com", "oauth2ClientId": "101774440407211070893",