Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit: update as of 2021-04-09 #1897

Merged
merged 1 commit into from
Apr 9, 2021
Merged

audit: update as of 2021-04-09 #1897

merged 1 commit into from
Apr 9, 2021

Conversation

cncf-ci
Copy link
Contributor

@cncf-ci cncf-ci commented Apr 9, 2021

Audit Updates wg-k8s-infra

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 9, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot requested review from dims and nikhita April 9, 2021 06:20
@k8s-ci-robot k8s-ci-robot added wg/k8s-infra size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 9, 2021
spiffxp
spiffxp approved these changes Apr 9, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm
/ok-to-test

audit/projects/k8s-artifacts-prod/iam.json
"serviceAccount:service-388270116193@containerregistry.iam.gserviceaccount.com",
"user:justinsb@google.com"
"serviceAccount:service-388270116193@containerregistry.iam.gserviceaccount.com"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was me making a manual edit. @justinsb is a member of k8s-infra-artifact-admins so this binding should have been redundant

...-conform/service-accounts/service-cri-o@k8s-conform.iam.gserviceaccount.com/description.json
@@ -1,5 +1,5 @@
{
"displayName": "service-cri-o",
"displayName": "Grants write access to gs://k8s-conform-cri-o",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected, k8s-conform service-account description changes are due to #1890 (comment)

audit/projects/k8s-conform/services/enabled.txt
Comment on lines -2 to -3
compute.googleapis.com Compute Engine API
oslogin.googleapis.com Cloud OS Login API
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected, service disables are due to #1890 (comment)

audit/projects/k8s-conform/services/compute/project-info.json
Comment on lines -9 to -10
"kind": "compute#project",
"name": "k8s-conform",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected, compute service was disabled via #1890 (comment)

audit/projects/kubernetes-public/secrets/spiffxp-test/description.json
Comment on lines -1 to -7
{
"createTime": "2021-04-08T19:41:00.816372Z",
"name": "projects/127754664067/secrets/spiffxp-test",
"replication": {
"automatic": {}
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected, this was me removing a dummy secret I had manually created for testing

audit/projects/k8s-infra-e2e-boskos-001/services/compute/project-info.json
"value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNmod3WnxDQ9f7EJSzZwvclM5CCDYZZXdx5K9cUa6CW/XJIsA/zurPZbH1jHp3QLX1DMR49GR+P8ACm6tP91qbVtdLxDyTeeLlRmXQEri7Bis2uwUXK7QkxmLgiUKzq95QwkYFGUafEy+we+OR4+Rj2C4rrFOriwqfWEjbGVPPt6ihfUauaSWKBkoF+X6YjJ+1zTtrQGqAyBpbhqCEUkWTOnG7Y7Wycqf30lw9Bs6ngw8QPhUyc3Pbjxj2aPOpDQVMPT03TjFT5F8pn2nU9trQuFdbnsY1Bjyd4Q2/jqfSjg1bbFEaEjV1FPHo/OeZNsXRTAj0Hh3A4KapLubvdT2n root@5d02d822-da00-11ea-8c1c-d23af84fd26f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/mk6vRaJfkpfIWG0Evihh/q0x5W5nz943WE69/mk+Q1hJOJpNj7GJc0y0moVsiVaXXVMXRAoC/wQDzB+XRf44Js2lojJmhABqG/kVEAwgwgLk/nEZATGbwyGbXFcq267f6jTGNOY9HbRrq6gMOyzdRy1uzX286Uav7gKBDY5IP3lBLOKX857D0XhIQx/ry9hmb5GzIKSSL1Zmv6O0iQqiubbVCglKdIZ1AQoIud5tvzmghb7fAACkPfQ9kqwrbLFVUh/nKRhIQxeOr2QF2Uv0/YQFiULb/iw70Z/QI8QDnUrnPq9MMIHR2YpkX0K3qZeguqNgToiuYu2d/1RXxhGF root@1c7dbf9d-e14f-11ea-8c67-968ff53f47c5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIm/Z3K0oPSZa0eLXTydSTcJFy9Gj1bE5QdAJt61f6abW0SQqlcez+PScnQFyqU8AFFRtO4kXB0JyDcobF3qQSXTN3P/NvV2psw/lHBes7uScfVDvfm7nDK1ndEbb24wBzXdc4wdZeCW+NoDEa8btslsSoGgINsUeI/oyME872WalXQuSiIFy4R7P3XmCXSePb8b+4HUa7vd5IpB+2K18oTmf+F93ZSPRJxTk8ZCJME6LnN7LxJkHYpnO+hC9IMPbAzWc0LDWpCNDuu0LO2rtvP/y/opj4it6i8l+FUg6hAHPlUos6vd3DCjkf3ylBwCAMOdRJp27DJmLx8+U+jiRz root@1e8e278f-f707-11ea-ae6d-8ed64f3416c0\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpcmjugW/itfeCL7WeZnea2YOEfzZgxMPTsvuHk39woyTRxJdjq4v/zMLSOXNBrdZFyqdW+F2ySS2GxCpvR5O2QKxEiqCcGOPK3xdQNRIP5mHtELgoPvPc4i22u3+ipfB/CrdrjN/ELwpUZXHrah5bNxOivEbNwYvQ3bMq+WbduRRLdKr10fwdyErywnqex4PvolxR2bOAnNdhakoUH31pSSECBKOX6YUh+TOG2Hh4wpyAJxSwxg7o5IgglU+ok9i6lK8g42CSlq+NBRp2AmoXd82KzXBfqpbTMJd2A8EnZrtq/VKGXFpWE4BzlA6+H7y3jxfcvTDfxH7I7YTgRUvB root@d99b53dd-f8b6-11ea-926e-7e7ea190b727\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtu4A2VuzGX/fH0HUjKcVqBi/+Fdd/kigCvQMWF3Uw6k8Q71l7ewcDDtfs+WDk06bNg50JsdaA+OcetrpL0yLPuKBvtSg/vl8msn8uxPbhHAgQ/QaaTLWYnztioPEsX4GHj6IcskwLGWNR+mIlqxY+cximmQ1O7hj1IGPNLuePysM9ZdpMDT7xOVc73PXd/t5+kZPjnKEQlsz5Zd7FtQH6QJ7ptKLYfcS062ZQlQJNaQPVIPk/TA9xLAEHaTSw0u1eJHuyXvbSbqvj8e/69wWMR32QmN6mKus3hQZjPMm+DzmDIWq2wt96i1eickCGSvpfXG4j6TIYmTVu3yTDe+ER root@1d6a8847-0838-11eb-b895-6272783fc925\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5eYrnUmX0URxEg778N+rOLSPqYJk1nPe3ppy/X7zf6rs514UlmBpftsI+ZC5iFxJKIfI1+IECBydUmMtcMeDNq6TJ+QtPaQjonX0jp7Cm4fdOmTfiDnuY1qhepvdKN7oWmZeNT1xrdAe8qeeLIbup92zIlU8++nusMmrAyvmmSjPtl41YNufj3g+4MEryQ6lq43RdkXT35GfZPdWUD3ZUrsc2b568NzBCdCG0j+/RYWHUxnRWiReJzhcrZX+dFACNL7Br5UVz6vmWNV8hLfrVJAAjHNtqWP0m4VCUOX84dfvmTa5I1xOjrqMNMLdWhNCKbR8zOJfaM86lzh66+yQv root@91bc69a5-532d-11eb-b6a5-7e8b7adfd54c\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2cYpeZLD9y25W19mQbvRxg7slzivZIV8y+p8XCIT2xddSl1HQ7Fz1Ir1iUzq0cqniTzHnmM8+RC47XaMMOaXaZjjPcpyNiaFOczCn9c4M5E48ipAa105HP9vj1yewWfgCbPxRP6QSweR8BOVLZHUpZwebPen1XwXUYrUBC0rhPHcFKPUtla4hlUEqI9/ca1yiohCUWDSpO9y5wazA54rZhkN/AHxhPCE0v8xcjJKbcZoUdyFFjY7kMXsL6AOpNwqpFzmhi01+ei3BikcRyKQnWAK15n+F0N4d1tYW5FPEAeepx/BsUnAlX3pji6N11c+sPg3laspWOvVTFgBWrpDd root@12716507-5573-11eb-b690-769430c9414e\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1HW5T8W/GHe9ba3zZhCR59IjYskzVSoR9KQQF97qG37mPsgvp+HZaFN4czh5Nq5SL7EbCZsROj50cMaO4Q37wCKvIQoWQtaFnBZkzvcADqPAyvIkGjsVRP7+3bSW+2vFr1bqmE8X5lFvIrAdR6BFbgirfTdeOT4SZo6OzyXm4mznYFQMxz5MIqNA+64qMq7UKWKYULRI33YMn8kvUVi3/sATPjOt4v0lQAM8i0g6IKw9MYlLNBQ9G7nH3tYWBBXAMboOT5TsGKGSt8FooNhxKuygbSyJoQL9T5x24sDjxqOVMvtTLRk3NtigdIcigiFgbRxGSmoNXGg9OIIP5Bcyh root@df1a6954-82ae-11eb-b915-56a8d6cedae4\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfySXJDe/9NLf9ek6OEu5CKV4ugzXnI4I+Ealg9fqaB2+S0BCsSGnrCOGUjKH0PWy85VqwhIhd+rTPz3sZRsbWTVvtnTWgLzBFnC20TuJlhmj+EUIIJcigSrkQcOOpGJi2trDBr1eXAN6SY9ZqHQRicndDVsJ9oi9eXrTUYoSwM+gbIWxscrRdvnsT61m1wLSmxJOoEb9013ow66j+RhDRd1MtJrrF1qoKOIPo9FtVHoOJuZ8gV2mASemGGx1xiTZSboDubvkKVroGzhG+uVEXaTqh7GJsmdN8yvjw/9qfphU7ihDuqZCIpiFx3HNV4tYsA6h1DhD92E7mInGC7Zsn root@d594c422-84c1-11eb-b098-eeb808a18dc8\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhsM5onslgH0nRFnAumVOGK9oHjF1t3VduBnRW5e3XgBu/qxoP3eT7qHYozRGTFLOrHPWIJ1ScyOEfV8cTT9aVNVamk3/5+UR34yOxQR/L5mrDyOd9o8hBvQ3BJiM6S775zQ4sy+oKTL9MMoT3m8/tC8n+lS+SNHyVFQXQmFEOLdiMN+qKenkYt5cv+lIzqKXUxtiJ5GQOsK2mY2TC+JtyeDSeCEjv1e/bmiEkWmiG1e550VdPffBfD0DOp5DWgkGM0a72SW1mPxjaxUy4ttk7JEPA76WiuLwG/mc6t28R5fmklQOyYK1LppGX1NhhLSGtwJ/abN8rgyWJqDyny+43 root@ad4d54b9-8af8-11eb-8155-227e2855667f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIciYtiBpbHldYdy3OXDuSRbR4SgnK/kzx3fVYKb6+HCyiPBFEPON6xuxBTgb2i5vwuWH4tq7zA25+8we95Y81DSUaPs3kOMS+m03Nwg76LmYZxZTF7HTCp72QMSFZFPp0hu+IZertWcJ21CrnA9nxOd/XfCS+ZgtbCDZW4MrUP4Dx/Gs1dUyqqla/0GvU7StQjwGHGs7j+59w5W2oYrK75pW1VETikPNISAKorNE9U6yOGmQHk9Iw4qkY3UpGYSB2wKLuNAH6dVPBxEkW+PqL8jiyaXsKWA8WGnxSZtm2LUuXbEJ7Va16AVkzz0NLecBaCtR3q+CL1fOoDO0wlqlr root@3c8b1b38-8c41-11eb-b692-3a35d43432cb\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFpnDgq2z7HFkMOm5cFxWC/ygaQZz6WIr/ADtBlkGNdfhXfQXOwPx6I9CuaUApj+6EmSUMWOHFJ+2vBqL7n06OEmua1zhNjYJxjyI9Fovektew6idwcXYntUmWoYusoVyitI8JLIh9qwuOp7JHDzIw3e28o6k+z8VliVNoe2k+O516x3CTlaYFpnJfxXi1YmCAPuq0i1YYNqJ6AvA1axHUeq0YYw3ruNriNsENlgwVUO3HP+JjxI5PIYZHFv/ZYvYgcXBfDMrT29BiC1CTM5dVtT9OstMxtSSOR2JB5PTN/FukNigdne2APgG00p/QZcNIDvVCoDgNI+mTrDdAMVfd root@3599990f-8e54-11eb-adda-5eb174036857\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGwOPOG1FFup69yB/68lDCeIz1/outPDVIpyhaPZhxpy11w3wp/XFbaS807TNUKRs0vD43vxX3U2OS+hl4g+8p+uRdT9bVoFm5+PqxsDuSVLI3Ch5/itCo+Ux37wLLda9eBPqHC7fvgNyFqly00MeviZr1mooxgdxDOgLb4UHtKI9ke9QXlcxBkkEcWFZe6KLM5spcau5N9mhMWJryoUfwBHY6L/zcdIC0+YtUCT4Gz94J3YHv/ADDYfo73r5IfDJHXFqEXfZo++4nGIjFsW32emLJW9+S99GkDrnQEjUpwiybhhDklsiFe98/+oX7iDJcvzsirhGtZnMnj6FoCJEV root@a9e3680e-914c-11eb-827a-4615317e4d96\nkubetest2:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow"
"value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected, k8s-infra-e2e-* project changes are ssh-keys getting reset to known default via #1894 (comment)

Hopefully this is the last we see of random key changes in audit PRs

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 9, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 9, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 9, 2021
@spiffxp
Copy link
Member

spiffxp commented Apr 9, 2021

/cc @ameukam
/assign @thockin
if either of you want to take a look post-merge

@k8s-ci-robot k8s-ci-robot merged commit 20bdf60 into kubernetes:main Apr 9, 2021
@k8s-ci-robot k8s-ci-robot requested a review from ameukam April 9, 2021 15:25
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 9, 2021
This was referenced Apr 9, 2021
Merged
Merged
thockin
thockin reviewed Apr 9, 2021
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pounding on this

/lgtm

@spiffxp spiffxp mentioned this pull request Apr 9, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thockin thockin thockin left review comments

@spiffxp spiffxp spiffxp approved these changes

@dims dims Awaiting requested review from dims

@nikhita nikhita Awaiting requested review from nikhita

@ameukam ameukam Awaiting requested review from ameukam

Assignees

@spiffxp spiffxp

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit Audit of project resources, audit followup issues, code in audit/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
4 participants
@cncf-ci @k8s-ci-robot @spiffxp @thockin