Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit: strip etags from json output, fix bq access dump #2089

Merged
merged 4 commits into from
May 24, 2021
Merged

audit: strip etags from json output, fix bq access dump #2089

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7a829d5
audit: fix bq access dump
spiffxp May 24, 2021
3036369
audit: strip etags from all json
spiffxp May 24, 2021
4eb4d1a
audit: update logging slightly
spiffxp May 24, 2021
0e2e3d3
audit: results of manually running audit-gcp.sh
spiffxp May 24, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 34 additions & 29 deletions audit/audit-gcp.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ set -o pipefail

CNCF_GCP_ORG=758905017065

function format_gcloud_json() {
# recursively delete any fields named "etag"
jq 'delpaths([path(..|.etag?|select(.))])'
}

echo "# Removing existing audit files"
rm -rf org_kubernetes.io
rm -rf projects
Expand All @@ -34,14 +39,12 @@ gcloud \
ROLE=$(basename "${ROLE_PATH}")
gcloud iam roles describe "${ROLE}" \
--organization="${CNCF_GCP_ORG}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "org_kubernetes.io/roles/${ROLE}.json"
done
gcloud \
organizations get-iam-policy "${CNCF_GCP_ORG}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "org_kubernetes.io/iam.json"

echo "## Iterating over Projects"
Expand All @@ -55,16 +58,16 @@ gcloud \

echo "### Auditing Project ${PROJECT}"
mkdir -p "projects/${PROJECT}"

gcloud \
projects describe "${PROJECT}" \
--format=json \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/description.json"

echo "#### ${PROJECT} IAM"
gcloud \
projects get-iam-policy "${PROJECT}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/iam.json"

echo "#### ${PROJECT} ServiceAccounts"
Expand All @@ -77,14 +80,12 @@ gcloud \
gcloud \
iam service-accounts describe "${SVCACCT}" \
--project="${PROJECT}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/service-accounts/${SVCACCT}/description.json"
gcloud \
iam service-accounts get-iam-policy "${SVCACCT}" \
--project="${PROJECT}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/service-accounts/${SVCACCT}/iam.json"
done

Expand All @@ -99,8 +100,7 @@ gcloud \
gcloud \
iam roles describe "${ROLE}" \
--project="${PROJECT}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/roles/${ROLE}.json"
done

Expand All @@ -116,22 +116,32 @@ gcloud \
--format="value(config.name)" \
| sed 's/.googleapis.com//' \
| while read -r SVC; do
echo "##### projects/${PROJECT}/services/${SVC}"
case "${SVC}" in
bigquery)
mkdir -p "projects/${PROJECT}/services/${SVC}"
bq \
--format=prettyjson --project_id=$PROJECT ls
ls \
--project_id="${PROJECT}" \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json"
# Only run if there are any datasets
if [ -s "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" ]
then
bq \
--project_id="{$PROJECT}" --format=json ls \
ls \
--project_id="${PROJECT}" \
--format=json | format_gcloud_json \
| jq -r '.[] | .datasetReference["datasetId"]' \
| while read -r DATASET; do
bq \
--project_id="${PROJECT}" --format=json show "${PROJECT}:${DATASET}" \
| jq .access > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json"
show \
--project_id="${PROJECT}" \
--format=json \
"${PROJECT}:${DATASET}" \
| format_gcloud_json \
| jq .access \
> "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json"
done
fi
;;
Expand All @@ -140,7 +150,7 @@ gcloud \
gcloud \
compute project-info describe \
--project="${PROJECT}" \
--format=json \
--format=json | format_gcloud_json \
| jq 'del(.quotas[].usage, .commonInstanceMetadata.fingerprint)' \
> "projects/${PROJECT}/services/${SVC}/project-info.json"
;;
Expand All @@ -157,11 +167,11 @@ gcloud \
mkdir -p "projects/${PROJECT}/services/${SVC}"
gcloud \
dns project-info describe "${PROJECT}" \
--format=json \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/services/${SVC}/info.json"
gcloud \
dns managed-zones list \
--format=json \
--format=json | format_gcloud_json \
> "projects/${PROJECT}/services/${SVC}/zones.json"
;;
logging)
Expand All @@ -187,7 +197,7 @@ gcloud \
gcloud \
secrets describe "${SECRET}" \
--project="${PROJECT}" \
--format=json \
--format=json | format_gcloud_json \
> "${path}/description.json"
gcloud \
secrets versions list "${SECRET}" \
Expand All @@ -197,8 +207,7 @@ gcloud \
gcloud \
secrets get-iam-policy "${SECRET}" \
--project="${PROJECT}" \
--format=json \
| jq 'del(.etag)' \
--format=json | format_gcloud_json \
> "${path}/iam.json"
done
;;
Expand All @@ -214,12 +223,12 @@ gcloud \
gsutil logging get "gs://${BUCKET}/" \
> "projects/${PROJECT}/buckets/${BUCKET}/logging.txt"
gsutil iam get "gs://${BUCKET}/" \
| jq 'del(.etag)' \
| format_gcloud_json \
> "projects/${PROJECT}/buckets/${BUCKET}/iam.json"
done
;;
*)
echo "##### Unhandled Service ${SVC}"
echo "WARN: Unaudited service enabled in project ${PROJECT}: ${SVC}"
# (these were all enabled for kubernetes-public)
# TODO: handle (or ignore) bigquerystorage
# TODO: handle (or ignore) clouderrorreporting
Expand All @@ -239,7 +248,3 @@ gcloud \
esac
done
done


# TODO:
# Dump iam for Big Query
18 changes: 18 additions & 0 deletions audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "justinsb@google.com"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
]
14 changes: 14 additions & 0 deletions .../projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
[
{
"role": "WRITER",
"userByEmail": "p388270116193-330742@gcp-sa-logging.iam.gserviceaccount.com"
},
{
"role": "OWNER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"userByEmail": "justinsb@google.com"
}
]
20 changes: 20 additions & 0 deletions audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
[
{
"kind": "bigquery#dataset",
"id": "k8s-artifacts-prod:gcs_logs",
"datasetReference": {
"datasetId": "gcs_logs",
"projectId": "k8s-artifacts-prod"
},
"location": "US"
},
{
"kind": "bigquery#dataset",
"id": "k8s-artifacts-prod:http_lb_logs",
"datasetReference": {
"datasetId": "http_lb_logs",
"projectId": "k8s-artifacts-prod"
},
"location": "US"
}
]
1 change: 0 additions & 1 deletion audit/projects/k8s-conform/secrets/service-cri-o-key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2021-04-08T20:32:11.215176Z",
"etag": "\"15bf7bf125b148\"",
"name": "projects/228988630781/secrets/service-cri-o-key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2021-04-08T20:43:10.411934Z",
"etag": "\"15bf7c18703c9e\"",
"name": "projects/228988630781/secrets/service-huaweicloud-key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-conform/secrets/service-inspur-key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2021-02-23T06:37:04.961097Z",
"etag": "\"15bbfb25906e49\"",
"name": "projects/228988630781/secrets/service-inspur-key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2021-02-15T15:18:08.840992Z",
"etag": "\"15bb617e4e6120\"",
"name": "projects/228988630781/secrets/service-provider-openstack-key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2020-09-23T21:18:11.941957Z",
"etag": "\"15b3ed7a94947b\"",
"name": "projects/228988630781/secrets/service-s390x-k8s-key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2020-04-30T04:24:22.976608Z",
"etag": "\"15b3ed7c79f8c0\"",
"name": "projects/91610859379/secrets/gsuite-groups-manager_key",
"replication": {
"automatic": {}
Expand Down
1 change: 0 additions & 1 deletion audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
{
"createTime": "2020-05-11T16:52:59.141275Z",
"etag": "\"15b3ed7b29f480\"",
"name": "projects/91610859379/secrets/wg-k8s-infra-billing_pw",
"replication": {
"automatic": {}
Expand Down
18 changes: 18 additions & 0 deletions audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "hh@ii.coop"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
]
41 changes: 41 additions & 0 deletions audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
[
{
"kind": "bigquery#dataset",
"id": "k8s-infra-ii-sandbox:hh",
"datasetReference": {
"datasetId": "hh",
"projectId": "k8s-infra-ii-sandbox"
},
"location": "US"
},
{
"kind": "bigquery#dataset",
"id": "k8s-infra-ii-sandbox:k8s_artifacts_dataset_bb_test",
"datasetReference": {
"datasetId": "k8s_artifacts_dataset_bb_test",
"projectId": "k8s-infra-ii-sandbox"
},
"labels": {
"managed-by-cnrm": "true"
},
"location": "US"
},
{
"kind": "bigquery#dataset",
"id": "k8s-infra-ii-sandbox:k8s_artifacts_gcslogs_appspot",
"datasetReference": {
"datasetId": "k8s_artifacts_gcslogs_appspot",
"projectId": "k8s-infra-ii-sandbox"
},
"location": "US"
},
{
"kind": "bigquery#dataset",
"id": "k8s-infra-ii-sandbox:kubernetes_public_logs",
"datasetReference": {
"datasetId": "kubernetes_public_logs",
"projectId": "k8s-infra-ii-sandbox"
},
"location": "US"
}
]
18 changes: 18 additions & 0 deletions ...-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "bb@ii.coop"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
]
18 changes: 18 additions & 0 deletions ...-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "bb@ii.coop"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
]
18 changes: 18 additions & 0 deletions ...s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
[
{
"role": "WRITER",
"specialGroup": "projectWriters"
},
{
"role": "OWNER",
"specialGroup": "projectOwners"
},
{
"role": "OWNER",
"userByEmail": "caleb@ii.coop"
},
{
"role": "READER",
"specialGroup": "projectReaders"
}
]
Loading