Skip to content

Commit

Permalink
audit-followup: use organization.admin for org-admins
Browse files Browse the repository at this point in the history
add two individual users to the redundant role bindings just
in case this ends up locking out the group
  • Loading branch information
spiffxp committed Feb 26, 2021
1 parent 112b539 commit e2bdb69
Showing 1 changed file with 20 additions and 2 deletions.
22 changes: 20 additions & 2 deletions infra/gcp/ensure-organization.sh
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,25 @@ color 6 "Ensuring org-level IAM bindings exist"
exit 0

# k8s-infra-org-admins@
# TODO: there are more granular roles also bound, they seem redundant given
# this role
# roles/owner has too many permissions to aggregate into a custom role,
# and some services (e.g. storage) add bindings based on membership in it
ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "roles/owner"
# everything org admins need beyond roles/owner to manage the org
ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "$(custom_org_role_name "organization.admin")"
# TODO(https://github.com/kubernetes/k8s.io/issues/1659): obviated by organization.admin, remove when bindings gone
old_org_admin_roles=(
roles/billing.user
roles/iam.organizationRoleAdmin
roles/resourcemanager.organizationAdmin
roles/resourcemanager.projectCreator
roles/resourcemanager.projectDeleter
roles/servicemanagement.quotaAdmin
)
for role in "${old_audit_roles[@]}"; do
# TODO(spiffxp): remove the extra super duper paranoia once we verify
# I haven't locked myself out via group membership
ensure_org_role_binding "user:thockin@google.com" "${role}"
ensure_org_role_binding "user:davanum@gmail.com" "${role}"
ensure_removed_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "${role}"
done
) 2>&1 | indent

0 comments on commit e2bdb69

Please sign in to comment.