Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit followup: restore k8s-infra-gcr-auditor service account #1730

Closed
spiffxp opened this issue Feb 26, 2021 · 9 comments
Closed

audit followup: restore k8s-infra-gcr-auditor service account #1730

spiffxp opened this issue Feb 26, 2021 · 9 comments
Assignees
Labels
area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects area/audit Audit of project resources, audit followup issues, code in audit/ kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release.
Milestone

Comments

@spiffxp
Copy link
Member

spiffxp commented Feb 26, 2021

I accidentally the account, noticed in #1718 (comment)

We need to:

  • restore the account?
  • or create a new one and rotate service account keys wherever necessary
  • ensure everything that depended on this account is... back up? for whatever that looked like before?

/sig release
/release eng
/priority important-soon
AFAIK nobody has noticed this is down yet. I remember Tim mentioning something about silencing slack alerts a while back due to general nosie level
/assign @spiffxp
I did the oops, I feel pretty responsible for addressing it. That said, this might be a good opportunity for someone from @kubernetes/release-engineering to refresh knowledge on how this is supposed to be wired up and why.

@spiffxp spiffxp added wg/k8s-infra area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects area/audit Audit of project resources, audit followup issues, code in audit/ labels Feb 26, 2021
@k8s-ci-robot k8s-ci-robot added sig/release Categorizes an issue or PR as relevant to SIG Release. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Feb 26, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Mar 4, 2021

/kind bug

@spiffxp
Copy link
Member Author

spiffxp commented May 4, 2021

This is blocking a merged PR from deploying properly, ref: #1966 (comment)

@spiffxp
Copy link
Member Author

spiffxp commented May 4, 2021

What is supposed to create this?

  • The name but not the project is declared here:
    AUDITOR_SVCACCT="k8s-infra-gcr-auditor"
  • The account is created for a given project by empower_artifact_auditor(project) here:

    k8s.io/infra/gcp/lib.sh

    Lines 399 to 404 in 9216eda

    if ! gcloud --project "${project}" iam service-accounts describe "${acct}" >/dev/null 2>&1; then
    gcloud --project "${project}" \
    iam service-accounts create \
    "${AUDITOR_SVCACCT}" \
    --display-name="k8s-infra container image auditor"
    fi
    • This block should be changed to a call to ensure_service_account(project, name,display_name) from lib_iam.sh
  • It looks like ensure-prod-storage.sh should be creating this account:
    empower_artifact_auditor "${PROD_PROJECT}"
    • But this script crashed right after "Empowering artifact-admins to release prod auditor" which is the line before
  • So it's probably a matter of swapping the order so empower_artifact_auditor is called before empower_group_to_admin_artifact_auditor

@spiffxp
Copy link
Member Author

spiffxp commented May 4, 2021

Opened #1998 to hopefully get us as far as creating the service account in question

Rotating credentials and getting things up and running would be the remainder of the work here

@spiffxp
Copy link
Member Author

spiffxp commented May 4, 2021

Deployed and the service account now exists again #1998 (comment)

@spiffxp
Copy link
Member Author

spiffxp commented May 20, 2021

I think I started on the next step of restoring this by running infra/gcp/ensure-env-cip-auditor.sh while deploying #2016

$ ./ensure-env-cip-auditor.sh
Enabling services
https://cip-auditor-ertsmqqccq-uc.a.run.app
projects/k8s-artifacts-prod/topics/gcr
projects/k8s-artifacts-prod/subscriptions/cip-auditor-invoker

@spiffxp
Copy link
Member Author

spiffxp commented Jul 16, 2021

/milestone v1.22

@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Jul 16, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Aug 2, 2021

/close
The auditor has been back up and running for a bit now, long enough for us to discover and squash alerting noise from the auditor (h/t @listx @tylerferrara)

@k8s-ci-robot
Copy link
Contributor

@spiffxp: Closing this issue.

In response to this:

/close
The auditor has been back up and running for a bit now, long enough for us to discover and squash alerting noise from the auditor (h/t @listx @tylerferrara)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects area/audit Audit of project resources, audit followup issues, code in audit/ kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Development

No branches or pull requests

2 participants