Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add project for gcs audits logs #2031

Merged
merged 2 commits into from
Jun 14, 2021
Merged

Add project for gcs audits logs #2031

merged 2 commits into from
Jun 14, 2021

Conversation

ameukam
Copy link
Member

@ameukam ameukam commented May 10, 2021
edited
Loading

  • Dedicated GCP project for PII
  • BigQuery dataset for PII analysis
  • Bucket for GCR container registries audit logs

Signed-off-by: Arnaud Meukam ameukam@gmail.com

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 10, 2021
@k8s-ci-robot k8s-ci-robot requested review from dims and spiffxp May 10, 2021 23:13
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ wg/k8s-infra size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 10, 2021
This was referenced May 13, 2021
Closed
Closed
Merged
spiffxp
spiffxp suggested changes May 19, 2021
View reviewed changes
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Outdated Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Outdated
}

// Create a sink for the organization
resource "google_logging_organization_sink" "gcs-logs-org-sink" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not familiar with this so no opinion

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was looking at Aggregated sinks but I realized I don't need this.

@ameukam ameukam force-pushed the audit-pii-project-tf branch from 4a1da72 to 022fbb1 Compare May 20, 2021 18:36
spiffxp
spiffxp suggested changes Jun 8, 2021
View reviewed changes
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Outdated Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Outdated Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/provider.tf Outdated
terraform {

backend "gcs" {
bucket = "k8s-infra-tf-public-ii"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe I'm misunderstanding the intent here. I assumed this was about PII, not about the ii folks having a dedicated project in public

Suggested change
bucket = "k8s-infra-tf-public-ii"
bucket = "k8s-infra-tf-public-pii"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

infra/gcp/ensure-main-project.sh Outdated Show resolved Hide resolved
infra/gcp/clusters/projects/k8s-infra-public-pii/main.tf Outdated Show resolved Hide resolved
ameukam added 2 commits June 11, 2021 00:39
@ameukam
Add project for gcs audits logs
ebd46a9 
- Dedicated GCP project for PII
- BigQuery dataset for PII analysis
- Bucket for GCR container registries audit logs

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
@ameukam
Ensure gcs bucket for Terraform state of k8s-infra-public-ii
344e2dc 
Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
@ameukam ameukam force-pushed the audit-pii-project-tf branch from 022fbb1 to 344e2dc Compare June 10, 2021 22:50
@ameukam ameukam changed the title [WIP] Add project for gcs audits logs Add project for gcs audits logs Jun 10, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 10, 2021
@spiffxp spiffxp mentioned this pull request Jun 11, 2021
Closed
spiffxp
spiffxp approved these changes Jun 14, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 14, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ameukam, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 3877257 into kubernetes:main Jun 14, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jun 14, 2021
@ameukam
Copy link
Member Author

ameukam commented Jun 14, 2021

Running ./ensure-main-project.sh

@spiffxp
Copy link
Member

spiffxp commented Jun 14, 2021

Ensuring 'gs://k8s-infra-tf-public-pii' exists as private with owners 'k8s-infra-cluster-admins@kubernetes.io'

Didn't catch this during review... this is too broad a group. I will open a followup to move this to org-admins once this has been deployed

@spiffxp
Copy link
Member

spiffxp commented Jun 14, 2021

@ameukam I was going to run terraform apply but I'm going to hold off if you're taking on deployment

@spiffxp spiffxp mentioned this pull request Jun 14, 2021
Merged
@ameukam
Copy link
Member Author

ameukam commented Jun 14, 2021

Got during the deployment :

Error: Error setting IAM policy for storage bucket "b/k8s-infra-artifacts-gcslogs": googleapi: Error 409: The metadata for object "null" was edited during the operation. Please try again., conflict

  on main.tf line 114, in resource "google_storage_bucket_iam_policy" "analytics_legacybucketwriter_policy":
 114: resource "google_storage_bucket_iam_policy" "analytics_legacybucketwriter_policy" {

I think the bindings with cloud-storage-analytics@google.com as member are in conflict.

@ameukam ameukam mentioned this pull request Jun 14, 2021
Merged
@bernokl bernokl mentioned this pull request Jun 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffxp spiffxp spiffxp approved these changes

@dims dims Awaiting requested review from dims

Assignees

@spiffxp spiffxp

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@ameukam @k8s-ci-robot @spiffxp