Merge pull request #213 from ii/cncf-ci-audit

Initial Auditing Configuration and Usage of the kubernetes.io GCP Organization

audit/README.md

@@ -0,0 +1,53 @@
+# Auditing Configuration and Usage of Community Assets
+
+## Status
+
+WIP. Members of k8s-infra-gcp-auditors should be able to run this script to submit an audit PR. 
+Note this is an Audit of current configuration, not a request for change.
+
+## How to become an auditor
+
+Admin access is granted via
+[googlegroups](https://groups.google.com/forum/#!forum/k8s-infra-gcp-auditors).
+
+You must have a Google account that will let you access the Google Cloud
+Console.
+
+To volunteer for this effort, contact the main
+[k8s-infra-team](https://groups.google.com/forum/#!forum/k8s-infra-team).
+
+## Requesting a Audit PR for review
+
+The process for sumbitting an audit uses Github PRs.
+
+### audit.sh
+
+Run ./audit.sh to generate a current audit configuration dump.
+Submit a PR to this repo with any new or updated files.
+
+In the PR please review the following details:
+   * The reason for any updates.
+   * Discuss / link related PRs / issues.
+
+Once this PR is created, it should be acknowledged by a secondary auditor.
+
+### Performing an audit
+
+Note that this is an AUDIT, not a request for change.
+The audits can be used to generate discussion for reviewing the changes that have already occured.
+
+#### Update Pull Request
+First, the requesting auditor opens a PR with any updates applied to the appropriate YAML/JSON file.
+Next, the requesting auditor validates that the PR looks correct for their request and responds `/lgtm`
+
+The a secondary auditor merges the PR once it has been LGTM'd
+
+## TODO
+
+Administrative:
+  * Who should be in OWNERS file
+  * Audit report
+
+How to automate:
+  * How do we audit for iam changes as they happen, rather than polling
+  * iam change triggers PR to github, notifies / tags the user who made the change

audit/audit-gcp.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# set -x -e
+CNCF_GCP_ORG=758905017065
+
+# gcloud organizations describe $CNCF_GCP_ORG 2>&1
+# ERROR: (gcloud.organizations.describe)
+# User [hh@ii.coop] does not have permission to access organization []
+
+format=json
+echo "# Auditing CNCF CGP Org: ${CNCF_GCP_ORG} #"
+gcloud iam roles list --organization=$CNCF_GCP_ORG --format=$format \
+       > cncf-org.roles.$format
+gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \
+       > cncf-org.policy.$format
+echo "## Iterating over Projects ##"
+gcloud projects list \
+       --filter "parent.id=$CNCF_GCP_ORG" \
+       --format "value(name, projectNumber)" \
+    | while read PROJECT NUM; do \
+    export CLOUDSDK_CORE_PROJECT=$PROJECT
+    echo "### Auditing Project: ${PROJECT} ###"
+    mkdir -p $PROJECT
+    gcloud projects get-iam-policy $PROJECT --format=$format > $PROJECT/policy.$format
+    gcloud iam roles list --project $PROJECT --format=$format > $PROJECT/roles.$format
+    mkdir -p $PROJECT/roles
+    for ROLE_PATH in `gcloud iam roles list --project $PROJECT --format="value(name)"`
+    do
+        ROLE=`basename $ROLE_PATH`
+        gcloud iam roles --project=$PROJECT describe $ROLE \
+               --format=json > $PROJECT/roles/$ROLE.json
+    done
+    echo "#### Iterating over ${PROJECT} Services: ####"
+    mkdir -p $PROJECT/services
+    gcloud services list --filter state:ENABLED --format=$format > $PROJECT/services/enabled.$format
+    for service in `gcloud services list --filter state:ENABLED --format=json \
+                    | jq -r .[].config.name | sed s:.googleapis.com::`
+    do
+        case $service in
+            compute)
+                echo TODO: $service Needs compute.projects.get
+                #### gcloud compute project-info describe
+                #### gcloud compute instances list --format=$format > $PROJECT/services/compute.instances.$format
+                #### gcloud compute disks list --format=$format > $PROJECT/services/compute.disks.$format
+                # I'm ensure why we see this when container.googleapis.com is DISABLED
+                gcloud container clusters list --format=$format > $PROJECT/services/clusters.$format
+                ;;
+            dns)
+                echo Processing: $service
+                mkdir -p dns
+                gcloud dns project-info describe $PROJECT --format=$format > $PROJECT/services/dns.info.$format
+                gcloud dns managed-zones list --format=$format > $PROJECT/services/dns.zones.$format
+                ;;
+            logging)
+                echo TODO: $service needs serviceusage.services.use
+                ##### gcloud logging logs list --format=$format > $PROJECT/services/logging.logs.$format
+                ##### gcloud logging metrics list --format=$format > $PROJECT/services/logging.metrics.$format
+                ##### gcloud logging sinks list --format=$format > $PROJECT/services/logging.sinks.$format
+                ;;
+            monitoring)
+                echo TODO: $service needs serviceusage.services.use
+                #### gcloud alpha monitoring policies list > $PROJECT/services/monitoring.policies.$format
+                #### gcloud alpha monitoring channels list > $PROJECT/services/monitoring.channels.$format
+                #### gcloud alpha monitoring channel-descriptors list > $PROJECT/services/monitoring.channel-descriptors.$format
+                ;;
+            oslogin)
+                echo TODO: Verify how OS Login is configured / audited
+                ;;
+            bigquery-json)
+                echo TODO: Verify how Big Query is configured / audited
+                ;;
+            storage-api)
+                echo TODO: $service needs storage.buckets.get for auditors
+                echo ...to kubernetes_public_billing and any newer buckets...
+                echo TODO: Ensure bucket-policy-only, for simplicity in Auditing
+                # https://cloud.google.com/storage/docs/bucket-policy-only
+                mkdir -p $PROJECT/buckets
+                for BUCKET in `gsutil ls -p $PROJECT | awk -F/ '{print $3}'`
+                do
+                    #### gsutil bucketpolicyonly get gs://$BUCKET/
+                    #### gsutil cors get gs://$BUCKET/
+                    #### gsutil logging get gs://$BUCKET/
+                    gsutil iam get gs://$BUCKET/ > $PROJECT/buckets/$BUCKET.iam.json
+                    gsutil ls -r gs://$BUCKET/ > $PROJECT/buckets/$BUCKET.txt
+                done
+                ;;
+            storage-component)
+                ;;
+            *)
+                echo "# Unhandled Service ${service} #"
+                ;;
+        esac
+    done
+done
+
+
+# TODO:
+# Dump iam for each GCS Bucket
+# Dump iam for Big Query
+# Iterate over enabled APIs per project
+# Identify each resource, then dump iam

audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json

@@ -0,0 +1,24 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "projectEditor:kubernetes-public", 
+        "projectOwner:kubernetes-public"
+      ], 
+      "role": "roles/storage.legacyBucketOwner"
+    }, 
+    {
+      "members": [
+        "projectViewer:kubernetes-public"
+      ], 
+      "role": "roles/storage.legacyBucketReader"
+    }, 
+    {
+      "members": [
+        "serviceAccount:509219875288-kscf0cheafmf4f6tp1auij5me8qakbin@developer.gserviceaccount.com"
+      ], 
+      "role": "roles/storage.legacyBucketWriter"
+    }
+  ], 
+  "etag": "CAU="
+}

audit/buckets/kubernetes-public.kubernetes_public_billing.txt

@@ -0,0 +1,156 @@
+gs://kubernetes_public_billing/billing--2019-01-10.csv
+gs://kubernetes_public_billing/billing--2019-01-11.csv
+gs://kubernetes_public_billing/billing--2019-01-12.csv
+gs://kubernetes_public_billing/billing--2019-01-13.csv
+gs://kubernetes_public_billing/billing--2019-01-14.csv
+gs://kubernetes_public_billing/billing--2019-01-15.csv
+gs://kubernetes_public_billing/billing--2019-01-16.csv
+gs://kubernetes_public_billing/billing--2019-01-17.csv
+gs://kubernetes_public_billing/billing--2019-01-18.csv
+gs://kubernetes_public_billing/billing--2019-01-19.csv
+gs://kubernetes_public_billing/billing--2019-01-20.csv
+gs://kubernetes_public_billing/billing--2019-01-21.csv
+gs://kubernetes_public_billing/billing--2019-01-22.csv
+gs://kubernetes_public_billing/billing--2019-01-23.csv
+gs://kubernetes_public_billing/billing--2019-01-24.csv
+gs://kubernetes_public_billing/billing--2019-01-25.csv
+gs://kubernetes_public_billing/billing--2019-01-26.csv
+gs://kubernetes_public_billing/billing--2019-01-27.csv
+gs://kubernetes_public_billing/billing--2019-01-28.csv
+gs://kubernetes_public_billing/billing--2019-01-29.csv
+gs://kubernetes_public_billing/billing--2019-01-30.csv
+gs://kubernetes_public_billing/billing--2019-01-31.csv
+gs://kubernetes_public_billing/billing--2019-02-01.csv
+gs://kubernetes_public_billing/billing--2019-02-02.csv
+gs://kubernetes_public_billing/billing--2019-02-03.csv
+gs://kubernetes_public_billing/billing--2019-02-04.csv
+gs://kubernetes_public_billing/billing--2019-02-05.csv
+gs://kubernetes_public_billing/billing--2019-02-06.csv
+gs://kubernetes_public_billing/billing--2019-02-07.csv
+gs://kubernetes_public_billing/billing--2019-02-08.csv
+gs://kubernetes_public_billing/billing--2019-02-09.csv
+gs://kubernetes_public_billing/billing--2019-02-10.csv
+gs://kubernetes_public_billing/billing--2019-02-11.csv
+gs://kubernetes_public_billing/billing--2019-02-12.csv
+gs://kubernetes_public_billing/billing--2019-02-13.csv
+gs://kubernetes_public_billing/billing--2019-02-14.csv
+gs://kubernetes_public_billing/billing--2019-02-15.csv
+gs://kubernetes_public_billing/billing--2019-02-16.csv
+gs://kubernetes_public_billing/billing--2019-02-17.csv
+gs://kubernetes_public_billing/billing--2019-02-18.csv
+gs://kubernetes_public_billing/billing--2019-02-19.csv
+gs://kubernetes_public_billing/billing--2019-02-20.csv
+gs://kubernetes_public_billing/billing--2019-02-21.csv
+gs://kubernetes_public_billing/billing--2019-02-22.csv
+gs://kubernetes_public_billing/billing--2019-02-23.csv
+gs://kubernetes_public_billing/billing--2019-02-24.csv
+gs://kubernetes_public_billing/billing--2019-02-25.csv
+gs://kubernetes_public_billing/billing--2019-02-26.csv
+gs://kubernetes_public_billing/billing--2019-02-27.csv
+gs://kubernetes_public_billing/billing--2019-02-28.csv
+gs://kubernetes_public_billing/billing--2019-03-01.csv
+gs://kubernetes_public_billing/billing--2019-03-02.csv
+gs://kubernetes_public_billing/billing--2019-03-03.csv
+gs://kubernetes_public_billing/billing--2019-03-04.csv
+gs://kubernetes_public_billing/billing--2019-03-05.csv
+gs://kubernetes_public_billing/billing--2019-03-06.csv
+gs://kubernetes_public_billing/billing--2019-03-07.csv
+gs://kubernetes_public_billing/billing--2019-03-08.csv
+gs://kubernetes_public_billing/billing--2019-03-09.csv
+gs://kubernetes_public_billing/billing--2019-03-10.csv
+gs://kubernetes_public_billing/billing--2019-03-11.csv
+gs://kubernetes_public_billing/billing--2019-03-12.csv
+gs://kubernetes_public_billing/billing--2019-03-13.csv
+gs://kubernetes_public_billing/billing--2019-03-14.csv
+gs://kubernetes_public_billing/billing--2019-03-15.csv
+gs://kubernetes_public_billing/billing--2019-03-16.csv
+gs://kubernetes_public_billing/billing--2019-03-17.csv
+gs://kubernetes_public_billing/billing--2019-03-18.csv
+gs://kubernetes_public_billing/billing--2019-03-19.csv
+gs://kubernetes_public_billing/billing--2019-03-20.csv
+gs://kubernetes_public_billing/billing--2019-03-21.csv
+gs://kubernetes_public_billing/billing--2019-03-22.csv
+gs://kubernetes_public_billing/billing--2019-03-23.csv
+gs://kubernetes_public_billing/billing--2019-03-24.csv
+gs://kubernetes_public_billing/billing--2019-03-25.csv
+gs://kubernetes_public_billing/billing--2019-03-26.csv
+gs://kubernetes_public_billing/billing--2019-03-27.csv
+gs://kubernetes_public_billing/billing--2019-03-28.csv
+gs://kubernetes_public_billing/billing--2019-03-29.csv
+gs://kubernetes_public_billing/billing--2019-03-30.csv
+gs://kubernetes_public_billing/billing--2019-03-31.csv
+gs://kubernetes_public_billing/billing--2019-04-01.csv
+gs://kubernetes_public_billing/billing--2019-04-02.csv
+gs://kubernetes_public_billing/billing--2019-04-03.csv
+gs://kubernetes_public_billing/billing--2019-04-04.csv
+gs://kubernetes_public_billing/billing--2019-04-05.csv
+gs://kubernetes_public_billing/billing--2019-04-06.csv
+gs://kubernetes_public_billing/billing--2019-04-07.csv
+gs://kubernetes_public_billing/billing--2019-04-08.csv
+gs://kubernetes_public_billing/billing--2019-04-09.csv
+gs://kubernetes_public_billing/billing--2019-04-10.csv
+gs://kubernetes_public_billing/billing--2019-04-11.csv
+gs://kubernetes_public_billing/billing--2019-04-12.csv
+gs://kubernetes_public_billing/billing--2019-04-13.csv
+gs://kubernetes_public_billing/billing--2019-04-14.csv
+gs://kubernetes_public_billing/billing--2019-04-15.csv
+gs://kubernetes_public_billing/billing--2019-04-16.csv
+gs://kubernetes_public_billing/billing--2019-04-17.csv
+gs://kubernetes_public_billing/billing--2019-04-18.csv
+gs://kubernetes_public_billing/billing--2019-04-19.csv
+gs://kubernetes_public_billing/billing--2019-04-20.csv
+gs://kubernetes_public_billing/billing--2019-04-21.csv
+gs://kubernetes_public_billing/billing--2019-04-22.csv
+gs://kubernetes_public_billing/billing--2019-04-23.csv
+gs://kubernetes_public_billing/billing--2019-04-24.csv
+gs://kubernetes_public_billing/billing--2019-04-25.csv
+gs://kubernetes_public_billing/billing--2019-04-26.csv
+gs://kubernetes_public_billing/billing--2019-04-27.csv
+gs://kubernetes_public_billing/billing--2019-04-28.csv
+gs://kubernetes_public_billing/billing--2019-04-29.csv
+gs://kubernetes_public_billing/billing--2019-04-30.csv
+gs://kubernetes_public_billing/billing--2019-05-01.csv
+gs://kubernetes_public_billing/billing--2019-05-02.csv
+gs://kubernetes_public_billing/billing--2019-05-03.csv
+gs://kubernetes_public_billing/billing--2019-05-04.csv
+gs://kubernetes_public_billing/billing--2019-05-05.csv
+gs://kubernetes_public_billing/billing--2019-05-06.csv
+gs://kubernetes_public_billing/billing--2019-05-07.csv
+gs://kubernetes_public_billing/billing--2019-05-08.csv
+gs://kubernetes_public_billing/billing--2019-05-09.csv
+gs://kubernetes_public_billing/billing--2019-05-10.csv
+gs://kubernetes_public_billing/billing--2019-05-11.csv
+gs://kubernetes_public_billing/billing--2019-05-12.csv
+gs://kubernetes_public_billing/billing--2019-05-13.csv
+gs://kubernetes_public_billing/billing--2019-05-14.csv
+gs://kubernetes_public_billing/billing--2019-05-15.csv
+gs://kubernetes_public_billing/billing--2019-05-16.csv
+gs://kubernetes_public_billing/billing--2019-05-17.csv
+gs://kubernetes_public_billing/billing--2019-05-18.csv
+gs://kubernetes_public_billing/billing--2019-05-19.csv
+gs://kubernetes_public_billing/billing--2019-05-20.csv
+gs://kubernetes_public_billing/billing--2019-05-21.csv
+gs://kubernetes_public_billing/billing--2019-05-22.csv
+gs://kubernetes_public_billing/billing--2019-05-23.csv
+gs://kubernetes_public_billing/billing--2019-05-24.csv
+gs://kubernetes_public_billing/billing--2019-05-25.csv
+gs://kubernetes_public_billing/billing--2019-05-26.csv
+gs://kubernetes_public_billing/billing--2019-05-27.csv
+gs://kubernetes_public_billing/billing--2019-05-28.csv
+gs://kubernetes_public_billing/billing--2019-05-29.csv
+gs://kubernetes_public_billing/billing--2019-05-30.csv
+gs://kubernetes_public_billing/billing--2019-05-31.csv
+gs://kubernetes_public_billing/billing--2019-06-01.csv
+gs://kubernetes_public_billing/billing--2019-06-02.csv
+gs://kubernetes_public_billing/billing--2019-06-03.csv
+gs://kubernetes_public_billing/billing--2019-06-04.csv
+gs://kubernetes_public_billing/billing--2019-06-05.csv
+gs://kubernetes_public_billing/billing--2019-06-06.csv
+gs://kubernetes_public_billing/billing--2019-06-07.csv
+gs://kubernetes_public_billing/billing--2019-06-08.csv
+gs://kubernetes_public_billing/billing--2019-06-09.csv
+gs://kubernetes_public_billing/billing--2019-06-10.csv
+gs://kubernetes_public_billing/billing--2019-06-11.csv
+gs://kubernetes_public_billing/billing--2019-06-12.csv
+gs://kubernetes_public_billing/billing--2019-06-13.csv
+gs://kubernetes_public_billing/billing--2019-06-14.csv