audit: update as of 2021-05-04 #1903
Conversation
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
cncf-ci
changed the title
k8s-ci-robot
added
size/S
| @@ -1 +1 @@ | |||
| gs://asia.artifacts.k8s-artifacts-prod.appspot.com/ has no logging configuration. | |||
| {"logBucket": "k8s-artifacts-gcslogs", "logObjectPrefix": "asia.artifacts.k8s-artifacts-prod.appspot.com"} | |||
There was a problem hiding this comment.
uh @thockin I think we still need to sort out permissions on this bucket (if we even want to use this project to host this bucket), see #904 (comment)
There was a problem hiding this comment.
I'm still not sure I see code in infra/gcp that enabled this?
There was a problem hiding this comment.
Will track this under #904 (comment) as something to followup on
cncf-ci
force-pushed
the
autoaudit-prow
branch
2 times, most recently
from
a2d369e to
93460a0
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
28d6bca to
c5f6ed6
Compare
k8s-ci-robot
added
size/XXL
k8s-ci-robot
added
size/S
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
5751f9a to
7555b7a
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
a68d819 to
2f18446
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
ac3fff9 to
fe5e064
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
00a6d1d to
4122342
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
1b8cccd to
ca3fcf2
Compare
There was a problem hiding this comment.
/ok-to-test
/approve
/lgtm
This has been hanging out for nearly a month, we shouldn't let that happen. The poor hygiene on my part was commenting via periodic reviews but not taking the concerns out to followup issues quickly enough (or, conversely, rolling changes back if they were that concerning).
So, I have done that now, and will allow this to merge.
| @@ -1 +1 @@ | |||
| gs://asia.artifacts.k8s-artifacts-prod.appspot.com/ has no logging configuration. | |||
| {"logBucket": "k8s-artifacts-gcslogs", "logObjectPrefix": "asia.artifacts.k8s-artifacts-prod.appspot.com"} | |||
There was a problem hiding this comment.
Will track this under #904 (comment) as something to followup on
| @@ -9,7 +9,6 @@ cloudtrace.googleapis.com Cloud Trace API | |||
| compute.googleapis.com Compute Engine API | |||
| containeranalysis.googleapis.com Container Analysis API | |||
| containerregistry.googleapis.com Container Registry API | |||
| containerscanning.googleapis.com Container Scanning API | |||
There was a problem hiding this comment.
/cc @dims
was this done manually? I forget where I saw notification that we wanted to disable this now that free pricing is going away
I just re-run ensure-prod-storage.sh which still has this service enabled so I suspect it's going to come back
| { | ||
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "projectEditor:k8s-infra-e2e-boskos-scale-03", | ||
| "projectOwner:k8s-infra-e2e-boskos-scale-03" | ||
| ], | ||
| "role": "roles/storage.legacyBucketOwner" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "projectViewer:k8s-infra-e2e-boskos-scale-03" | ||
| ], | ||
| "role": "roles/storage.legacyBucketReader" | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
Opened #1999 to track this as a followup
| "projectEditor:k8s-staging-service-apis", | ||
| "projectOwner:k8s-staging-service-apis" | ||
| "projectEditor:k8s-staging-gateway-api", | ||
| "projectOwner:k8s-staging-gateway-api" |
There was a problem hiding this comment.
lots of files changing but these are expected:
- moves of
service-apis->gateway-api - additions of
gateway-apiresources - deletions of
service-apisresources
this was #1954 getting deployed
| "members": [ | ||
| "projectViewer:kubernetes-public" | ||
| ], | ||
| "role": "roles/storage.legacyBucketReader" |
There was a problem hiding this comment.
I take this back. The bucket itself can be read, but none of its contents.
I still plan on having a PR out that tightens access on these later, but can live with this permission in the meantime.
k8s-ci-robot
added
ok-to-test
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Audit Updates wg-k8s-infra