Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove org-level role/binding cleanup, improve lib_iam output #1794

Merged
merged 4 commits into from
Mar 17, 2021
Merged

Remove org-level role/binding cleanup, improve lib_iam output #1794

merged 4 commits into from
Mar 17, 2021

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented Mar 16, 2021
edited
Loading

Part of umbrella issue to manage organization-level IAM assets (ref: #1659)

Followup to previous PRs:

See individual commit messages for details.

The first two commits are hopefully going to dramatically reduce output from IAM changes, such that unexpected additions or removals are more likely to stand out. A bunch of infra/gcp scripts could be updated to use lib_iam.sh instead of calling gcloud directly.

spiffxp added 4 commits March 16, 2021 10:07
@spiffxp
infra/gcp: add diff_colorized to lib_util
2fe1cf9
@spiffxp
infra/gcp: improve lib_iam output
856c002 
gcloud iam functions have noisy output, trim down to relevent info

- no error if role already removed
- no "policy updated" is policy didn't need to be updated
- diff before/after of policy changes in flat/concise format
@spiffxp
infra/gcp: remove cleanup of removed bindings/roles
623bb00 
they have been removed, cleanup no longer necessary
@spiffxp
roles: refresh audit.viewer
1a2a8b5
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. wg/k8s-infra labels Mar 16, 2021
@k8s-ci-robot k8s-ci-robot requested review from bartsmykla and dims March 16, 2021 14:14
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 16, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Mar 16, 2021

/uncc @bartsmykla
/cc @ameukam @thockin

@k8s-ci-robot k8s-ci-robot requested review from ameukam and thockin and removed request for bartsmykla March 16, 2021 17:50
@ameukam
Copy link
Member

ameukam commented Mar 16, 2021

/lgtm
/hold
In case thockin has something to say.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 16, 2021
@spiffxp
Copy link
Member Author

spiffxp commented Mar 17, 2021

/hold cancel
If @thockin has time, can comment on this post-merge

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 17, 2021
@k8s-ci-robot k8s-ci-robot merged commit ed4e5eb into kubernetes:main Mar 17, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 17, 2021
@spiffxp spiffxp deleted the ensure-organization-followup-pt2 branch March 17, 2021 14:18
@spiffxp
Copy link
Member Author

spiffxp commented Mar 17, 2021 

Ensuring organization custom roles exist
  Ensuring organization custom role prow.viewer
  Ensuring organization custom role audit.viewer
  @@ -516,15 +516,27 @@ includedPermissions:
     - deploymentmanager.typeProviders.list
     - deploymentmanager.types.list
     - dialogflow.agents.list
  +  - dialogflow.answerrecords.list
  +  - dialogflow.callMatchers.list
     - dialogflow.contexts.list
  +  - dialogflow.conversationDatasets.list
  +  - dialogflow.conversationModels.list
  +  - dialogflow.conversationProfiles.list
  +  - dialogflow.conversations.list
     - dialogflow.documents.list
     - dialogflow.entityTypes.list
     - dialogflow.environments.list
     - dialogflow.flows.list
     - dialogflow.intents.list
     - dialogflow.knowledgeBases.list
  +  - dialogflow.messages.list
  +  - dialogflow.modelEvaluations.list
     - dialogflow.pages.list
  +  - dialogflow.participants.list
  +  - dialogflow.phoneNumberOrders.list
  +  - dialogflow.phoneNumbers.list
     - dialogflow.sessionEntityTypes.list
  +  - dialogflow.smartMessagingEntries.list
     - dialogflow.transitionRouteGroups.list
     - dialogflow.versions.list
     - dialogflow.webhooks.list
  Ensuring organization custom role secretmanager.secretLister
  Ensuring organization custom role organization.admin
  Ensuring organization custom role CustomRole
  Ensuring organization custom role iam.serviceAccountLister
Ensuring organization IAM bindings exist
Ensuring removed organization IAM bindings do not exist
  No bindings to remove
Ensuring removed organization custom roles do not exist
All done!

@spiffxp spiffxp mentioned this pull request Mar 17, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Mar 17, 2021

The above output is a bit sanitized, the first time I ran the script, it halted after updating audit.viewer

Opened #1801 to address

@spiffxp spiffxp mentioned this pull request Mar 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims Awaiting requested review from dims

@ameukam ameukam Awaiting requested review from ameukam

@thockin thockin Awaiting requested review from thockin

Assignees

@ameukam ameukam

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
3 participants
@spiffxp @k8s-ci-robot @ameukam