-
Notifications
You must be signed in to change notification settings - Fork 832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit-followup: deal with project ssh-keys growing #1751
Comments
@spiffxp: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @amwat |
so i think both of those are generated by kube-up for the same reasons, except they have a different $USER |
if that's the case I guess I would expect to see a lot more spurious keys with not-kubetest2 at the end of them wonder what it is that kube-up is doing differently on its own? regardless, I'm feeling like some possible paths forward could be:
|
I think Just to elaborate on the "why they are all the same": we add which mounts a pair of existing keys (as secrets in the prow cluster) to each job. which This will propagate once for every time it encounters a new project, after that the keys will already exist (so makes it faster). Whereas by default, gcloud will just create a new pair of keys (currently what's happening for kubetest2) Depending on what's more important (time saving with static keys/ clean runs) |
That assumed key the preset adds is already prepopulated in all projects by ensure-e2e-projects.sh We should figure out why it's not being detected |
New key per run and cleaning up afterward would be a good followup and reduce impact of the assumed key needing to be rotated, but let's cut the noise down first |
/priority important-soon |
kubernetes-sigs/kubetest2#109 - support for reusing ssh keys At this point I'm inclined to try a one-shot that nukes the ssh-keys and resets to known default. I will try to take a look at currently running jobs (look at boskos resources on relevant build clusters) to see if it's worth avoiding potential disruption caused by wiping keys. |
Latest audit PR's don't show keys randomly getting added anymore. Opened #1894 to stage a manual edit so I can edit keys more quickly, will run |
OK, so I think we're at a steady state,
But I don't grok why
Honestly, as long as keys aren't getting constantly added and blowing up audit PRs, I'm happy to leave this as is. If I can't figure this out after 30min, I'm going to open a followup issue for this bug, and just make the "steady state" the expected set of ssh-keys |
/milestone v1.21 |
Followup from #1748
over time k8s-infra-e2e-* projects are accumulating entries in
project.commonInstanceMetadata["ssh-keys"]
(eg: https://github.com/kubernetes/k8s.io/pull/1748/files#diff-358508c57e9216cf9e24c719a001712286b35054ea2618b4c7904db2290e8337R6)briefly:
prow\nprow:prow:ssh-rsa
(this is intended, same across all projects and managed by scripts in this repo)prow\nkubetest2:ssh-rsa
(not sure if this is actively used / the same key everywhere)root@6e6f003c-7933-11eb-a603-2218f636630c\nkubetest2:ssh-rsa
concerns:
/kind bug
/wg k8s-infra
/sig testing
/area prow
/area infra-mgmt
/area access
/area infra/auditing
/priority important-longerm
The text was updated successfully, but these errors were encountered: