audit: update as of 2021-05-05 #2001
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
wg/k8s-infra
size/L
cncf-ci
force-pushed
the
autoaudit-prow
branch
2 times, most recently
from
5adeebf to
49c66c9
Compare
| }, | ||
| { | ||
| "members": [ | ||
| "group:k8s-infra-gcs-access-logs@kubernetes.io" |
There was a problem hiding this comment.
Expected, this was #1966 being deployed
| { | ||
| "displayName": "k8s-infra container image auditor", | ||
| "email": "k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", | ||
| "name": "projects/k8s-artifacts-prod/serviceAccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", | ||
| "oauth2ClientId": "113024649066440988760", | ||
| "projectId": "k8s-artifacts-prod", | ||
| "uniqueId": "113024649066440988760" | ||
| } |
| @@ -9,6 +9,7 @@ cloudtrace.googleapis.com Cloud Trace API | |||
| compute.googleapis.com Compute Engine API | |||
| containeranalysis.googleapis.com Container Analysis API | |||
| containerregistry.googleapis.com Container Registry API | |||
| containerscanning.googleapis.com Container Scanning API | |||
There was a problem hiding this comment.
Yeah this popped back up. #1963 is the followup issue to remove this from our code
| "role": "projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister" | ||
| "role": "organizations/758905017065/roles/iam.serviceAccountLister" |
There was a problem hiding this comment.
Expected (though surprising at the time it happened) this is the last part of #1737 being deployed
This happened while deploying #1952 (comment), so apparently I forget to run terraform apply for the appropriate clusters after merging #1737
| "group:k8s-infra-prow-viewers@kubernetes.io" | ||
| "group:k8s-infra-cluster-admins@kubernetes.io" |
There was a problem hiding this comment.
This is a weird way of diffing it, but same expected change as above (this time for k8s-infra-prow-build instead of k8s-infra-prow-build-trusted)
| ], | ||
| "role": "roles/storage.admin" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "group:k8s-infra-cluster-admins@kubernetes.io", | ||
| "projectEditor:kubernetes-public", |
There was a problem hiding this comment.
These are expected, this is #1974 being deployed, specifically the part that's dropping projectEditor bindings
| @@ -116,6 +116,7 @@ | |||
| { | |||
| "members": [ | |||
| "group:gke-security-groups@kubernetes.io", | |||
| "serviceAccount:gke-nodes-aaa@kubernetes-public.iam.gserviceaccount.com", | |||
There was a problem hiding this comment.
This is the result of running terraform apply for clusters/projects/kubernetes-public/aaa using the last commit of #1974. There was an authoritative google_iam_policy terraform resource that kept overwriting other non-authoritative add-iam-policy-binding equivalents in terraform or bash.
I opted to move the project level bindings for accounts/groups not managed by terraform over to ensure-main-project.sh, and re-ran terraform apply... these are all of the bindings that should be present
| "members": [ | ||
| "serviceAccount:k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com" | ||
| ], | ||
| "role": "roles/viewer" |
There was a problem hiding this comment.
Also expected from #1974
It's redundant, given a binding to custom org role audit.viewer at the org level, but ensure-main-project.sh as written needs to give the service account some kind of role at the project level, and it seemed best to avoid tangling with the org for bootstrapping purposes
| @@ -1,5 +1,5 @@ | |||
| { | |||
| "displayName": "k8s-infra dns updater", | |||
| "displayName": "k8s-infra-dns-updater", | |||
There was a problem hiding this comment.
Expected from #1974
The displayName seemed mostly unused, so to reduce the number of parameters to pass during provisioning, I opted to make it the same as name (the part before the @ in the service accounts e-mail address). More easily searchable within our source code.
| @@ -2,8 +2,7 @@ | |||
| "bindings": [ | |||
| { | |||
| "members": [ | |||
| "serviceAccount:k8s-infra-prow-build-trusted.svc.id.goog[test-pods/k8s-infra-gcp-auditor]", | |||
| "serviceAccount:kubernetes-public.svc.id.goog[test-pods/k8s-infra-gcp-auditor]" | |||
There was a problem hiding this comment.
Expected from #1974
This should have been removed ages ago, this was over a year ago when I was testing out a prow build cluster in the kubernetes-public project, and had noodled on getting k8s-infra-gcp-auditor sufficient privileges to run the audit scripts.
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Audit Updates wg-k8s-infra