From 56c5025d5649fe7346cd68e38f1192f7385099f1 Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Thu, 22 Apr 2021 22:49:49 +0200
Subject: [PATCH] Read access to read access k8s-artifacts-gcslogs

Ref: https://github.com/kubernetes/k8s.io/issues/1945

Inital request:
https://groups.google.com/g/kubernetes-wg-k8s-infra/c/Wkw0uyMKSXk/m/QLVIAMZzAAAJ.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
---
 infra/gcp/ensure-prod-storage.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/infra/gcp/ensure-prod-storage.sh b/infra/gcp/ensure-prod-storage.sh
index ea7bde4bcb3..d7d77fa2505 100755
--- a/infra/gcp/ensure-prod-storage.sh
+++ b/infra/gcp/ensure-prod-storage.sh
@@ -359,6 +359,12 @@ color 6 "Handling special cases"
             $(svc_acct_email "${GCR_BACKUP_TEST_PRODBAK_PROJECT}" "${PROMOTER_SVCACCT}")
     done
 
+    # Special case: empower k8s-infra-gcs-access-logs@kubernetes.io to read k8s-artifacts-gcslogs
+    # k8s-artifacts-gcslogs receive and store Cloud Audit logs for k8s-artificats-prod.
+    ensure_gcs_role_binding "gs://k8s-artifacts-gcslogs" \
+        "group:k8s-infra-gcs-access-logs@kubernetes.io" \
+        "objectViewer"
+
     color 6 "Ensuring prod promoter vuln scanning svcacct exists"
     ensure_service_account \
         "${PROD_PROJECT}" \