audit followup: organization resources should be managed by script

[thockin]

For example, there's a Role "prow.viewer" that is not set up anywhere.

[justaugustus]

@thockin -- I'm working on infra bring up for another project, which included some crude copy/pasting of what's in k/k8s.io.

As part of that, I have a WIP refactor of the groups/** logic (working title: ggreconcile): uwu-tools/ggreconcile#1

Want me to see how far I can take that?

[thockin]

Always interested in refactor, though groups is a bit different from the org-roles?

[justaugustus]

Yep, yep, but I did have to end up copying in snippets of the infra scripts, so replacing some portion of them is on my list too for that other project. 🙃

Longer term --> https://twitter.com/stephenaugustus/status/1361686269823225859

[spiffxp]

@thockin that role is created here: https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/prow/ensure-e2e-projects.sh#L35-L40

I was going to shuffle things around so k8s-infra-prow-oncall@ had /approve rights to scripts they had permissions to run, I can undo if you'd rather leave everything in a flat namespace until we sort out how to organize

[spiffxp]

#1656 - help wanted, script creation of the custom role definition from primitive roles

[spiffxp]

/assign
#1679 is a start

[spiffxp]

There are individuals assigned roles at the org level that I'm less inclined to script.

The TODO's I dropped in that PR are what I consider sufficient to close this out

[spiffxp]

/sig testing
/sig release
/area access
/priority important-longterm
/milestone v1.21

[spiffxp]

/retitle audit followup: organization resources should be managed by script

[spiffxp]

#1726 addresses the majority of this, one more PR for cleanup after that merges

[spiffxp]

/reopen
not quite done

[k8s-ci-robot]

@spiffxp: Reopened this issue.

In response to this:

/reopen
not quite done

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

#1859 contains changes to ensure-main-project.sh that remove the project-level ServiceAccountLister role in favor of the org-level ServiceAccountLister role. Change was deployed per #1859 (comment)

[spiffxp]

/close
At this point infra/gcp/ensure-organization.sh does the following:

• add (most) IAM bindings
• add custom roles
• remove hardcoded IAM bindings
• remove hardcoded custom roles

I think there is still some manual noise at the IAM level, but audit PR's over the past few months have shown very few surprises. I'm comfortable calling this done and opening audit followup issues for whatever further tightening or resource support (folders, org policies) we deem necessary.

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
At this point infra/gcp/ensure-organization.sh does the following:

• add (most) IAM bindings
• add custom roles
• remove hardcoded IAM bindings
• remove hardcoded custom roles

I think there is still some manual noise at the IAM level, but audit PR's over the past few months have shown very few surprises. I'm comfortable calling this done and opening audit followup issues for whatever further tightening or resource support (folders, org policies) we deem necessary.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

/milestone v1.22