From 2c894d8dd41fa0e2f25308eb84af75513115cd2c Mon Sep 17 00:00:00 2001 From: CNCF CI Bot Date: Thu, 6 May 2021 12:56:22 +0000 Subject: [PATCH] audit: update as of 2021-05-06 --- audit/org_kubernetes.io/iam.json | 6 + .../org_kubernetes.io/roles/audit.viewer.json | 133 +++++++++++++++++- .../roles/organization.admin.json | 19 ++- .../k8s-infra-clusters-terraform/iam.json | 3 +- audit/projects/kubernetes-public/iam.json | 4 + 5 files changed, 159 insertions(+), 6 deletions(-) diff --git a/audit/org_kubernetes.io/iam.json b/audit/org_kubernetes.io/iam.json index b8b435d1cdc..c04d8d81029 100644 --- a/audit/org_kubernetes.io/iam.json +++ b/audit/org_kubernetes.io/iam.json @@ -66,6 +66,12 @@ ], "role": "roles/iam.securityReviewer" }, + { + "members": [ + "group:k8s-infra-gcp-org-admins@kubernetes.io" + ], + "role": "roles/orgpolicy.policyAdmin" + }, { "members": [ "group:k8s-infra-gcp-org-admins@kubernetes.io" diff --git a/audit/org_kubernetes.io/roles/audit.viewer.json b/audit/org_kubernetes.io/roles/audit.viewer.json index 58d0c987f41..dae7ce81343 100644 --- a/audit/org_kubernetes.io/roles/audit.viewer.json +++ b/audit/org_kubernetes.io/roles/audit.viewer.json @@ -145,6 +145,100 @@ "binaryauthorization.policy.getIamPolicy", "clientauthconfig.brands.list", "clientauthconfig.clients.list", + "cloudasset.assets.analyzeIamPolicy", + "cloudasset.assets.exportAccessLevel", + "cloudasset.assets.exportAccessPolicy", + "cloudasset.assets.exportAllAccessPolicy", + "cloudasset.assets.exportAppengineApplications", + "cloudasset.assets.exportAppengineServices", + "cloudasset.assets.exportAppengineVersions", + "cloudasset.assets.exportBigqueryDatasets", + "cloudasset.assets.exportBigqueryTables", + "cloudasset.assets.exportBigtableCluster", + "cloudasset.assets.exportBigtableInstance", + "cloudasset.assets.exportBigtableTable", + "cloudasset.assets.exportCloudbillingBillingAccounts", + "cloudasset.assets.exportCloudkmsCryptoKeyVersions", + "cloudasset.assets.exportCloudkmsCryptoKeys", + "cloudasset.assets.exportCloudkmsImportJobs", + "cloudasset.assets.exportCloudkmsKeyRings", + "cloudasset.assets.exportCloudresourcemanagerFolders", + "cloudasset.assets.exportCloudresourcemanagerOrganizations", + "cloudasset.assets.exportCloudresourcemanagerProjects", + "cloudasset.assets.exportComputeAddress", + "cloudasset.assets.exportComputeAutoscalers", + "cloudasset.assets.exportComputeBackendBuckets", + "cloudasset.assets.exportComputeBackendServices", + "cloudasset.assets.exportComputeDisks", + "cloudasset.assets.exportComputeFirewalls", + "cloudasset.assets.exportComputeForwardingRules", + "cloudasset.assets.exportComputeGlobalAddress", + "cloudasset.assets.exportComputeGlobalForwardingRules", + "cloudasset.assets.exportComputeHealthChecks", + "cloudasset.assets.exportComputeHttpHealthChecks", + "cloudasset.assets.exportComputeHttpsHealthChecks", + "cloudasset.assets.exportComputeImages", + "cloudasset.assets.exportComputeInstanceGroupManagers", + "cloudasset.assets.exportComputeInstanceGroups", + "cloudasset.assets.exportComputeInstanceTemplates", + "cloudasset.assets.exportComputeInstances", + "cloudasset.assets.exportComputeInterconnect", + "cloudasset.assets.exportComputeInterconnectAttachment", + "cloudasset.assets.exportComputeLicenses", + "cloudasset.assets.exportComputeNetworks", + "cloudasset.assets.exportComputeProjects", + "cloudasset.assets.exportComputeRegionAutoscaler", + "cloudasset.assets.exportComputeRegionBackendServices", + "cloudasset.assets.exportComputeRegionDisk", + "cloudasset.assets.exportComputeRegionInstanceGroup", + "cloudasset.assets.exportComputeRegionInstanceGroupManager", + "cloudasset.assets.exportComputeRouters", + "cloudasset.assets.exportComputeRoutes", + "cloudasset.assets.exportComputeSecurityPolicy", + "cloudasset.assets.exportComputeSnapshots", + "cloudasset.assets.exportComputeSslCertificates", + "cloudasset.assets.exportComputeSubnetworks", + "cloudasset.assets.exportComputeTargetHttpProxies", + "cloudasset.assets.exportComputeTargetHttpsProxies", + "cloudasset.assets.exportComputeTargetInstances", + "cloudasset.assets.exportComputeTargetPools", + "cloudasset.assets.exportComputeTargetSslProxies", + "cloudasset.assets.exportComputeTargetTcpProxies", + "cloudasset.assets.exportComputeTargetVpnGateways", + "cloudasset.assets.exportComputeUrlMaps", + "cloudasset.assets.exportComputeVpnTunnels", + "cloudasset.assets.exportContainerClusterrole", + "cloudasset.assets.exportContainerClusterrolebinding", + "cloudasset.assets.exportContainerClusters", + "cloudasset.assets.exportContainerNamespace", + "cloudasset.assets.exportContainerNode", + "cloudasset.assets.exportContainerNodepool", + "cloudasset.assets.exportContainerPod", + "cloudasset.assets.exportContainerRole", + "cloudasset.assets.exportContainerRolebinding", + "cloudasset.assets.exportContainerregistryImage", + "cloudasset.assets.exportDatafusionInstance", + "cloudasset.assets.exportDataprocClusters", + "cloudasset.assets.exportDataprocJobs", + "cloudasset.assets.exportDnsManagedZones", + "cloudasset.assets.exportDnsPolicies", + "cloudasset.assets.exportIamPolicy", + "cloudasset.assets.exportIamRoles", + "cloudasset.assets.exportIamServiceAccountKeys", + "cloudasset.assets.exportIamServiceAccounts", + "cloudasset.assets.exportManagedidentitiesDomain", + "cloudasset.assets.exportOrgPolicy", + "cloudasset.assets.exportPubsubSubscriptions", + "cloudasset.assets.exportPubsubTopics", + "cloudasset.assets.exportResource", + "cloudasset.assets.exportServicePerimeter", + "cloudasset.assets.exportServicemanagementServices", + "cloudasset.assets.exportSpannerDatabases", + "cloudasset.assets.exportSpannerInstances", + "cloudasset.assets.exportSqladminInstances", + "cloudasset.assets.exportStorageBuckets", + "cloudasset.assets.searchAllIamPolicies", + "cloudasset.assets.searchAllResources", "cloudasset.feeds.list", "cloudbuild.builds.list", "clouddebugger.breakpoints.list", @@ -666,8 +760,6 @@ "iap.webServiceVersions.getIamPolicy", "iap.webServices.getIamPolicy", "iap.webTypes.getIamPolicy", - "identityplatform.workloadPoolProviders.list", - "identityplatform.workloadPools.list", "lifesciences.operations.list", "logging.buckets.list", "logging.exclusions.list", @@ -678,6 +770,7 @@ "logging.logServices.list", "logging.logs.list", "logging.notificationRules.list", + "logging.operations.list", "logging.privateLogEntries.list", "logging.queries.list", "logging.sinks.list", @@ -717,6 +810,12 @@ "monitoring.slos.list", "monitoring.timeSeries.list", "monitoring.uptimeCheckConfigs.list", + "networkconnectivity.hubs.getIamPolicy", + "networkconnectivity.hubs.list", + "networkconnectivity.locations.list", + "networkconnectivity.operations.list", + "networkconnectivity.spokes.getIamPolicy", + "networkconnectivity.spokes.list", "networkmanagement.connectivitytests.getIamPolicy", "networkmanagement.connectivitytests.list", "networkmanagement.locations.list", @@ -745,19 +844,29 @@ "notebooks.instances.list", "notebooks.locations.list", "notebooks.operations.list", + "notebooks.runtimes.getIamPolicy", + "notebooks.runtimes.list", "notebooks.schedules.getIamPolicy", "notebooks.schedules.list", "ondemandscanning.operations.list", "opsconfigmonitoring.resourceMetadata.list", "osconfig.guestPolicies.list", + "osconfig.instanceOSPoliciesCompliances.list", + "osconfig.inventories.list", + "osconfig.osPolicyAssignments.list", "osconfig.patchDeployments.list", "osconfig.patchJobs.list", + "osconfig.vulnerabilityReports.list", "policysimulator.replayResults.list", "policysimulator.replays.list", + "privateca.caPools.getIamPolicy", + "privateca.caPools.list", "privateca.certificateAuthorities.getIamPolicy", "privateca.certificateAuthorities.list", "privateca.certificateRevocationLists.getIamPolicy", "privateca.certificateRevocationLists.list", + "privateca.certificateTemplates.getIamPolicy", + "privateca.certificateTemplates.list", "privateca.certificates.getIamPolicy", "privateca.certificates.list", "privateca.locations.list", @@ -780,6 +889,10 @@ "pubsublite.subscriptions.list", "pubsublite.topics.list", "recaptchaenterprise.keys.list", + "recommender.cloudAssetInsights.get", + "recommender.cloudAssetInsights.list", + "recommender.cloudsqlInstanceDiskUsageTrendInsights.list", + "recommender.cloudsqlInstanceOutOfDiskRecommendations.list", "recommender.commitmentUtilizationInsights.list", "recommender.computeAddressIdleResourceInsights.list", "recommender.computeAddressIdleResourceRecommendations.list", @@ -794,6 +907,7 @@ "recommender.iamPolicyInsights.list", "recommender.iamPolicyRecommendations.list", "recommender.iamServiceAccountInsights.list", + "recommender.locations.get", "recommender.locations.list", "recommender.loggingProductSuggestionContainerInsights.list", "recommender.loggingProductSuggestionContainerRecommendations.list", @@ -805,14 +919,15 @@ "redis.operations.list", "remotebuildexecution.instances.list", "remotebuildexecution.workerpools.list", + "resourcemanager.folders.get", "resourcemanager.folders.getIamPolicy", "resourcemanager.folders.list", + "resourcemanager.hierarchyNodes.listTagBindings", "resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", - "resourcemanager.resourceTagBindings.list", "resourcemanager.tagKeys.getIamPolicy", "resourcemanager.tagKeys.list", "resourcemanager.tagValues.getIamPolicy", @@ -884,6 +999,7 @@ "storage.buckets.getIamPolicy", "storage.buckets.list", "storage.hmacKeys.list", + "storage.multipartUploads.list", "storage.objects.getIamPolicy", "storage.objects.list", "storagetransfer.jobs.list", @@ -895,7 +1011,18 @@ "tpu.tensorflowversions.list", "transcoder.jobTemplates.list", "transcoder.jobs.list", + "translationhub.portals.list", + "vmmigration.cloneJobs.list", + "vmmigration.cutoverJobs.list", + "vmmigration.datacenterConnectors.list", "vmmigration.deployments.list", + "vmmigration.groups.list", + "vmmigration.locations.list", + "vmmigration.migratingVms.list", + "vmmigration.operations.list", + "vmmigration.sources.list", + "vmmigration.targets.list", + "vmmigration.utilizationReports.list", "vpcaccess.connectors.list", "vpcaccess.locations.list", "vpcaccess.operations.list", diff --git a/audit/org_kubernetes.io/roles/organization.admin.json b/audit/org_kubernetes.io/roles/organization.admin.json index 8454061ce2d..38c211b5cf0 100644 --- a/audit/org_kubernetes.io/roles/organization.admin.json +++ b/audit/org_kubernetes.io/roles/organization.admin.json @@ -1,12 +1,22 @@ { "description": "Access to administer all resources belonging to the organization", "includedPermissions": [ + "billing.accounts.create", "billing.accounts.get", "billing.accounts.getIamPolicy", + "billing.accounts.getSpendingInformation", + "billing.accounts.getUsageExportSpec", "billing.accounts.list", "billing.accounts.redeemPromotion", + "billing.accounts.updateUsageExportSpec", + "billing.budgets.create", + "billing.budgets.delete", + "billing.budgets.get", + "billing.budgets.list", + "billing.budgets.update", "billing.credits.list", "billing.resourceAssociations.create", + "billing.resourceAssociations.list", "orgpolicy.policy.get", "resourcemanager.folders.create", "resourcemanager.folders.delete", @@ -25,7 +35,14 @@ "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "resourcemanager.projects.move", - "resourcemanager.projects.setIamPolicy" + "resourcemanager.projects.setIamPolicy", + "storage.buckets.create", + "storage.buckets.delete", + "storage.buckets.get", + "storage.buckets.getIamPolicy", + "storage.buckets.list", + "storage.buckets.setIamPolicy", + "storage.buckets.update" ], "name": "organizations/758905017065/roles/organization.admin", "stage": "GA", diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json index af83abe0e04..de375d736d4 100644 --- a/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json @@ -2,8 +2,7 @@ "bindings": [ { "members": [ - "group:k8s-infra-gcp-org-admins@kubernetes.io", - "user:spiffxp@google.com" + "group:k8s-infra-gcp-org-admins@kubernetes.io" ], "role": "roles/storage.admin" }, diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json index 7a3c27c4b5f..446bd888aca 100644 --- a/audit/projects/kubernetes-public/iam.json +++ b/audit/projects/kubernetes-public/iam.json @@ -147,6 +147,10 @@ }, { "members": [ + "group:k8s-infra-aws-admins@kubernetes.io", + "group:k8s-infra-cluster-admins@kubernetes.io", + "group:k8s-infra-ii-coop@kubernetes.io", + "group:k8s-infra-prow-oncall@kubernetes.io", "serviceAccount:k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com" ], "role": "roles/viewer"