-
Notifications
You must be signed in to change notification settings - Fork 835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
results of running audit script as of 2021-01-13 #1534
Conversation
specifically: - one for each "special" pool of projects - ingress, gpu, scale - intended to match equivalent k8s-infra-e2e-boskos projects
changes reflected in here include: - add k8s-infra-prow-viewers@ - add k8s-infra-prow-oncall@ - quotas updated out of band - add ssh-keys (added by kubetest2)
specifically: - enable secretmanager - enable serviceusage - reflect quota updates done out of band - reflect automated cluster changes done out of band
specifically: - windows-remote-docker_ca-pem - windows-remote-docker_cert-pem - windows-remote-docker_key-pem
specifically: - create the service account - bind to trusted prow via workload identity - empower SA to deploy to prow build clusters
also drop permissions given to related kubernetes.io group
specifically: - k8s-staging-addon-manager - k8s-staging-bootkube - k8s-staging-boskos - k8s-staging-ci-images - k8s-staging-cloud-provider-gcp - k8s-staging-cluster-addons - k8s-staging-cri-tools - k8s-staging-etcdadm - k8s-staging-examples - k8s-staging-git-sync - k8s-staging-ingress-nginx - k8s-staging-ingressconformance - k8s-staging-gsm-tools - k8s-staging-kustomize - k8s-staging-mirror - k8s-staging-networking - k8s-staging-provider-aws - k8s-staging-scheduler-plugins - k8s-staging-sig-docs - k8s-staging-sig-storage - k8s-staging-sp-operator - k8s-staging-storage-migrate
specifically - enable containeranalysis - enable containerscanning - enable secretmanager - give k8s-infra-gcr-vuln-scanning SA containeranalysis viewer role
specifically: - add k8s-conform-s390x-k8s bucket, SA for write, key in secretmanager - add k8s-conform-inspur
specifically: - restrict access to gsuite-groups-manager_key to serviceaccount - allow k8s-infra-prow-build-trusted to run as SA via workload identity
@spiffxp I will take a look at this over the weekend |
/uncc @justaugustus |
}, | ||
{ | ||
"members": [ | ||
"user:davanum@gmail.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All LGTM I think, it took some time to go over all the files related, but I did not see anything that calls my attention
just one comment, in several iam.json files we only see one "roles/owner"
it is not better to have at least one more for backup in case it is needed? or this is expected? (asking because might be discussed before to be like this)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoever runs the script that creates a project gets assigned as owner (we have a bug open about this #299). Org owners implicitly get owner on projects within the org, so we're available for fallback.
I believe the thinking goes: don't give owner access to projects, thereby requiring a gitops workflow for things like changing iam permissions. It's just unfortunate that the execution part of our gitops model is currently "humans run scripts" vs. bots.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the clarification Aaron
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cpanato, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign @thockin |
This is now N weeks out of date. I'd like to re-run audit and add some more commits to this, or merge this as-is and do a followup PR. @hh is making progress on an automated CI job (kubernetes/test-infra#20742) but I'd like to get us to a smaller more digestible delta before we accept PR's from that job. If we close this PR and wait for that job to work, we're going to land something larger than this PR, but with one commit. I don't want to review that. |
I am re-running audit.sh and will add commits to this. I'm thinking maybe it's best to leave the questionable changes listed in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I asked the same set of questions you did. I filed some issues on other weirdnesses that are not as urgent feeling.
Mostly LGTM
@@ -72,6 +72,8 @@ | |||
"group:k8s-infra-gcp-org-admins@kubernetes.io", | |||
"user:domain-admin-lf@kubernetes.io", | |||
"user:ihor@cncf.io", | |||
"user:spiffxp@google.com", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't need these (since we have group:k8s-infra-gcp-org-admins@kubernetes.io). But they are OK as a "safety".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, "safety" is why they're explicitly defined here, is there someplace we should doc this?
], | ||
"name": "organizations/758905017065/roles/prow.viewer", | ||
"stage": "ALPHA", | ||
"title": "Prow Viewer" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find nothing in our repo setting this up. Aaron, your fingerprint is in the access log. We should set up a script or terraform to sync the org.
@@ -0,0 +1,11 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wrote a quick script to diff all 30 of these.
06-30 have higher quotas than 01-05.
Not enough to abort this audit, but worth noting. Issue filed
@@ -0,0 +1,11 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran a script to diff these and it was clean.
@@ -0,0 +1,11 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran a script to diff these again 001.
41 + are missing the IAM binding:
{
"members": [
"group:k8s-infra-prow-viewers@kubernetes.io"
],
"role": "roles/viewer"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -22,6 +22,32 @@ | |||
}, | |||
{ | |||
"members": [ | |||
"serviceAccount:service-675573440409@compute-system.iam.gserviceaccount.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost certainly what happened was that you or I or someone with "enough" privs clicked on the "compute" tab while in this project (that's my default tab) and it "helpfully" enables the service. Sigh. We should just go and disable it in the script. so it will get cleaned up on every run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened #1675
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened #1675
@@ -20,6 +20,24 @@ | |||
], | |||
"role": "roles/cloudbuild.serviceAgent" | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment on compute. I suspect the same, but I have less evidence). We should nuke it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added to #1675
@@ -20,10 +20,42 @@ | |||
], | |||
"role": "roles/cloudbuild.serviceAgent" | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree - should be disabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
given your explanation for "I clicked on console and this happens automatically" this is almost undoubtedly my fault, I navigate these services all the time on a number of projects
added to #1675
@@ -0,0 +1,8 @@ | |||
{ | |||
"displayName": "App Engine default service account", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something to do with promoter? Can't think of a reason
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have been in app engine before (looking at gubernator), it's possible this is the same deal as everything else in #1675
I'm surprised clicking around on console auto-activates services. Is it because our accounts are over-privileged? I'd rather see a "nope, you can't use this because the API isn't enabled for this project"
@@ -18,6 +18,12 @@ | |||
], | |||
"role": "roles/bigquery.jobUser" | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe related to promoter? @listx may know.
Yes, it's because people like you can do anything. :(
…On Wed, Feb 17, 2021 at 4:04 PM Aaron Crickenberger < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In
***@***.***/description.json
<#1534 (comment)>:
> @@ -0,0 +1,8 @@
+{
+ "displayName": "App Engine default service account",
I have been in app engine before (looking at gubernator), it's possible
this is the same deal as everything else in #1675
<#1675>
I'm surprised clicking around on console auto-activates services. Is it
because our accounts are over-privileged? I'd rather see a "nope, you can't
use this because the API isn't enabled for this project"
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#1534 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVESVW7JIUKVPUAGPU3S7RKSHANCNFSM4WDMGRCA>
.
|
Forget what I said in #1534 (comment) I did re-run audit, but I'd rather save those for another PR. And since we've opened a bunch of followup issues for the So... looking for lgtm? |
/lgtm ( i checked all the previous comments ... no, i did not go through 38k lines! ) |
It's been way too long since this was last run and the results checked in. Last commit to
audit/
is dated 2020-05-06. So this is ~7mo of changesI tried to group changes into logical commits, but I won't be able to exhaustively tie each commit back to the issues/PRs that spawned it.
This is WIP because I want to either resolve or open up followup issues for commits that have
QQ
orTODO
in their messages.I really, really, really want us to get this running and automatically PR'ed by prow (ref: #244). Current state of affairs is broken.