-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup a job to automatically run and PR the results of audit/audit-gcp.sh #244
Comments
creating the cluster ref: #243 |
CronJob would open a PR (akin to how prow maintains a bump PR?) |
Depends on script in this PR: #213 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@hh is this issue still relevant? If so, it seems like there should be a CronJob that periodically checks that a specified cluster has the required IAM policies and when it doesn't open a PR in this repo to fix? Let me know if I'm missing anything. |
/remove-lifecycle stale I think it is. I think the point is to run this regularly and then output the details |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
I am noodling on something over in https://github.com/bashfire/prow-config/blob/master/config/jobs/bashfire/k8s-io.yaml The job will output the diff at the end. What I'd like to do next is create a PR if there are any changes, and continue to update that PR until it's been merged |
/assign @spiffxp @bartsmykla |
/lifecycle active |
Chatted with @hh about this |
/uncc @bartsmykla |
/assign @hh |
I didn't get a chance to dive deep into this, but we have a somewhat working similar script that does currently create or update a PR when changes have occurred in conformance data underpinning apisnoop.cncf.io : https://github.com/cncf/apisnoop/blob/gcb-snoodb-pr-gater/cloudbuild.yaml |
For this job I would suggest using the working pr-creator from the yaml hh posted above, cp -r coverage/[artifact] path/to/repo/[artifact] |
Currently we use gcb for our build which means our credentials/secrets are in the gcb project. |
/remove-help Discussed in meetings but to close the loop here:
|
/reopen |
@spiffxp: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
#1648 - auditor account didn't have access to secretmanager, add a one-off script for this for now Sample audit PR's manually opened by @hh
I have /held these PRs because I would like to merge the PR I opened last month that annotated many of the changes that have happened in the past 7 months commit by commit. I am in the midst of updating it right now, and suggest I leave out some of the questionable changes I can't account for, for the automation to PR instead (#1534 (comment)) |
We now have a set of partial-audits PR created via a prow job. It was created by using a gist of a slightly modify audit-gcp.sh over a few runs, using a different branch each time. The changes to the job are here: And the resulting list of 10 PRs: |
Copy-pasting from #1676 (comment) The partial-audit PR's opened by cncf-ci caught almost everything. I reviewed and approved them, but I can't do anything further to merge them until the account has signed the CLA. Use
The outstanding changes I didn't see covered in them are: |
/close I think we can call this done now:
I have some quality of life suggestions for improvements, but I will make those elsewhere. |
@spiffxp: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @hh
/wg k8s-infra
EDIT: redoing description entirely, things have changed since this issue was created
We want a prowjob that does the following:
I am super open to suggestions about whether there are better or more-actionable ways to do auditing. But we need to start with something.
I sketched out what such a job would look like here: https://github.com/bashfire/prow-config/blob/435a8039bc9cf496690ad572884a72e9608ebb4e/config/jobs/bashfire/k8s-io.yaml
This is one of the first things we want to setup on a freshly created k8s-infra cluster to be sure we actually have the cluster and all of the IAM policies / roles created properlyFirst run as Job, next run as CronJobThe text was updated successfully, but these errors were encountered: