audit: update as of 2021-10-14

audit/projects/k8s-cip-test-prod/services/logging/logs.json

@@ -1,3 +1 @@
-[
-  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"
-]
+[]

audit/projects/k8s-staging-ci-images/services/logging/logs.json

@@ -1,4 +1,3 @@
 [
-  "projects/k8s-staging-ci-images/logs/cloudaudit.googleapis.com%2Factivity",
-  "projects/k8s-staging-ci-images/logs/cloudaudit.googleapis.com%2Fsystem_event"
+  "projects/k8s-staging-ci-images/logs/cloudaudit.googleapis.com%2Factivity"
 ]

audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json

@@ -1,7 +1,6 @@
 [
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fdata_access",
-  "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fsystem_event",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild",
   "projects/k8s-staging-cluster-api-gcp/logs/compute.googleapis.com%2Fshielded_vm_integrity"
 ]

audit/projects/kubernetes-public/buckets/k8s-infra-tf-gcp/iam.json

@@ -0,0 +1,29 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-gcp-org-admins@kubernetes.io"
+      ],
+      "role": "roles/storage.admin"
+    },
+    {
+      "members": [
+        "group:k8s-infra-gcp-org-admins@kubernetes.io",
+        "projectOwner:kubernetes-public"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:kubernetes-public"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-gcp-org-admins@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    }
+  ]
+}

audit/projects/kubernetes-public/buckets/k8s-infra-tf-gcp/metadata.txt

@@ -0,0 +1,20 @@
+gs://k8s-infra-tf-gcp/ :
+	Storage class:			STANDARD
+	Location type:			multi-region
+	Location constraint:		US
+	Versioning enabled:		None
+	Logging configuration:		None
+	Website configuration:		None
+	CORS configuration: 		None
+	Lifecycle configuration:	None
+	Requester Pays enabled:		None
+	Labels:				None
+	Default KMS key:		None
+	Time created:			Thu, 14 Oct 2021 16:46:11 GMT
+	Time updated:			Thu, 14 Oct 2021 16:46:32 GMT
+	Metageneration:			6
+	Bucket Policy Only enabled:	True
+	Public access prevention:	unspecified
+	RPO:				DEFAULT
+	ACL:				[]
+	Default ACL:			[]

audit/projects/kubernetes-public/buckets/k8s-infra-tf-monitoring/iam.json

@@ -0,0 +1,29 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-gcp-org-admins@kubernetes.io"
+      ],
+      "role": "roles/storage.admin"
+    },
+    {
+      "members": [
+        "group:k8s-infra-cluster-admins@kubernetes.io",
+        "projectOwner:kubernetes-public"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:kubernetes-public"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-cluster-admins@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    }
+  ]
+}

audit/projects/kubernetes-public/buckets/k8s-infra-tf-monitoring/metadata.txt

@@ -0,0 +1,20 @@
+gs://k8s-infra-tf-monitoring/ :
+	Storage class:			STANDARD
+	Location type:			multi-region
+	Location constraint:		US
+	Versioning enabled:		None
+	Logging configuration:		None
+	Website configuration:		None
+	CORS configuration: 		None
+	Lifecycle configuration:	None
+	Requester Pays enabled:		None
+	Labels:				None
+	Default KMS key:		None
+	Time created:			Thu, 14 Oct 2021 04:54:40 GMT
+	Time updated:			Thu, 14 Oct 2021 04:55:14 GMT
+	Metageneration:			6
+	Bucket Policy Only enabled:	True
+	Public access prevention:	unspecified
+	RPO:				DEFAULT
+	ACL:				[]
+	Default ACL:			[]

audit/projects/kubernetes-public/iam.json

@@ -117,6 +117,12 @@
       ],
       "role": "roles/logging.privateLogViewer"
     },
+    {
+      "members": [
+        "serviceAccount:tf-monitoring-deployer@kubernetes-public.iam.gserviceaccount.com"
+      ],
+      "role": "roles/monitoring.admin"
+    },
     {
       "members": [
         "serviceAccount:gke-nodes-aaa@kubernetes-public.iam.gserviceaccount.com"
@@ -161,6 +167,7 @@
         "group:k8s-infra-artifact-admins@kubernetes.io",
         "group:k8s-infra-aws-admins@kubernetes.io",
         "group:k8s-infra-cluster-admins@kubernetes.io",
+        "group:k8s-infra-gcp-org-admins@kubernetes.io",
         "group:k8s-infra-ii-coop@kubernetes.io",
         "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-sandbox-capg@kubernetes.io",

audit/projects/kubernetes-public/service-accounts/tf-monitoring-deployer@kubernetes-public.iam.gserviceaccount.com/description.json

@@ -0,0 +1,8 @@
+{
+  "displayName": "tf-monitoring-deployer",
+  "email": "tf-monitoring-deployer@kubernetes-public.iam.gserviceaccount.com",
+  "name": "projects/kubernetes-public/serviceAccounts/tf-monitoring-deployer@kubernetes-public.iam.gserviceaccount.com",
+  "oauth2ClientId": "105944484171419312033",
+  "projectId": "kubernetes-public",
+  "uniqueId": "105944484171419312033"
+}

audit/projects/kubernetes-public/service-accounts/tf-monitoring-deployer@kubernetes-public.iam.gserviceaccount.com/iam.json

@@ -0,0 +1,11 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "serviceAccount:kubernetes-public.svc.id.goog[test-pods/tf-monitoring-deployer]"
+      ],
+      "role": "roles/iam.workloadIdentityUser"
+    }
+  ],
+  "version": 1
+}