Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit: update as of 2021-03-30 #1800

Merged
merged 1 commit into from
Mar 31, 2021
Merged

Conversation

cncf-ci
Copy link
Contributor

@cncf-ci cncf-ci commented Mar 17, 2021

Audit Updates wg-k8s-infra

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 17, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/audit Audit of project resources, audit followup issues, code in audit/ labels Mar 17, 2021
@k8s-ci-robot k8s-ci-robot requested review from spiffxp and thockin March 17, 2021 04:57
@k8s-ci-robot k8s-ci-robot added wg/k8s-infra size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 17, 2021
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 17, 2021
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 17, 2021
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One expected change, one unexpected

"serviceAccount:service-cri-o@k8s-conform.iam.gserviceaccount.com"
],
"role": "roles/storage.objectCreator"
"role": "roles/storage.objectAdmin"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

???

did someone make this change manually?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

weird! (not me!)

cc @saschagrunert @mrunalp any clues?

Copy link
Member

@saschagrunert saschagrunert Mar 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aww, yes I changed it manually. Big sorry for that, our token needs access to write a version marker to the bucket. :-/ We need to change that file for each commit. Can we request an additional bucket where we're able to edit/change files?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I ask what the version marker is for? These buckets should just be result dumps, just trying to understand the use case here.

OTOH since we're giving humans admin access I can't think why we wouldn't give their serviceaccount the same level of acess. I would be open to a PR that makes this the default for all k8s-conform buckets, WDYT @BenTheElder ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/cc @BenTheElder
to put the above question on your radar

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I ask what the version marker is for? These buckets should just be result dumps, just trying to understand the use case here.

Yes sure, the main intention was to use this marker for being independent from the GitHub API. We publish a binary artifact for every successful run on the CRI-O master branch and update the version marker after that. This way we can easily query the latest build without having to use the rate limited GitHub Actions API. It's more or less the same like we do it in k8s.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #1850 to track following up on this

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI I mistakenly deleted this account when trying to delete the capi-openstack serviceaccount below. I believe I restored it, but let me know if you see problems on your end @saschagrunert

$ gcloud iam service-accounts delete service-cri-o@k8s-conform.iam.gserviceaccount.com
deleted service account [service-cri-o@k8s-conform.iam.gserviceaccount.com]
$ gcloud beta iam service-accounts undelete 118310596454734433596
restoredAccount:
  email: service-cri-o@k8s-conform.iam.gserviceaccount.com
  etag: MDEwMjE5MjA=
  name: projects/k8s-conform/serviceAccounts/service-cri-o@k8s-conform.iam.gserviceaccount.com
  oauth2ClientId: REDACTED
  projectId: k8s-conform
  uniqueId: '118310596454734433596'

@@ -517,15 +517,27 @@
"deploymentmanager.typeProviders.list",
"deploymentmanager.types.list",
"dialogflow.agents.list",
"dialogflow.answerrecords.list",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

expected, came from: #1794 (comment)

@cncf-ci cncf-ci changed the title audit: update as of 2021-03-17 audit: update as of 2021-03-18 Mar 18, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from e21ce65 to 669d0b3 Compare March 18, 2021 17:01
@cncf-ci cncf-ci changed the title audit: update as of 2021-03-18 audit: update as of 2021-03-19 Mar 19, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 4 times, most recently from 01767b4 to 66916db Compare March 19, 2021 22:56
@k8s-ci-robot k8s-ci-robot removed the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 19, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 2 times, most recently from 0aa5a69 to 1d42984 Compare March 27, 2021 23:25
@cncf-ci cncf-ci changed the title audit: update as of 2021-03-27 audit: update as of 2021-03-28 Mar 28, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 2 times, most recently from 3c037c9 to ece5881 Compare March 28, 2021 11:28
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 28, 2021
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Mar 28, 2021
@cncf-ci cncf-ci changed the title audit: update as of 2021-03-28 audit: update as of 2021-03-29 Mar 29, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 4 times, most recently from 3589904 to 6a68661 Compare March 29, 2021 23:37
@cncf-ci cncf-ci changed the title audit: update as of 2021-03-29 audit: update as of 2021-03-30 Mar 30, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from fefd764 to 0fc358f Compare March 30, 2021 17:37
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm
/hold cancel
kubernetes-sigs/kubetest2#117 has landed which should hopefully mean no new random ssh keys being added. So I'm merging this to see if that proves true.

I've dropped comments / opened up followup issues for anything else in here that needs resolving.

If it does, I'll PR up something to either one-time nuke the e2e project ssh-keys, or reset the ssh-keys to what we expect every time ensure-e2e-projects.sh is run

Comment on lines -32 to -33
"group:k8s-infra-prow-oncall@kubernetes.io",
"user:spiffxp@google.com"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a pending PR that modifies ensure_project to automatically remove user:* bindings for roles/owner, this was me testing it

@@ -1,6 +1,5 @@
NAME TITLE
bigquery.googleapis.com BigQuery API
bigquery.googleapis.com BigQuery API
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why we had a dupe entry here to begin with, not sure what caused it to get removed

"serviceAccount:service-cri-o@k8s-conform.iam.gserviceaccount.com"
],
"role": "roles/storage.objectCreator"
"role": "roles/storage.objectAdmin"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #1850 to track following up on this

Comment on lines +1 to +8
{
"displayName": "service-capi-openstack",
"email": "service-capi-openstack@k8s-conform.iam.gserviceaccount.com",
"name": "projects/k8s-conform/serviceAccounts/service-capi-openstack@k8s-conform.iam.gserviceaccount.com",
"oauth2ClientId": "115191210752954465501",
"projectId": "k8s-conform",
"uniqueId": "115191210752954465501"
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be manually deleted per #1807

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ gcloud iam service-accounts delete service-capi-openstack@k8s-conform.iam.gserviceaccount.com
deleted service account [service-capi-openstack@k8s-conform.iam.gserviceaccount.com]

@@ -0,0 +1 @@
{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be manually deleted per #1807

Comment on lines +2 to +4
"createTime": "2021-03-24T18:14:58.836Z",
"lifecycleState": "ACTIVE",
"name": "k8s-staging-kubetest2",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All files under projects/k8s-staging-kubetest2 are expected, a result of #1819 merging

@@ -4,7 +4,13 @@
"members": [
"group:k8s-infra-cluster-admins@kubernetes.io"
],
"role": "projects/kubernetes-public/roles/ServiceAccountLister"
"role": "organizations/758905017065/roles/iam.serviceAccountLister"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is expected, a result of #1737

Comment on lines +10 to +13
"members": [
"group:k8s-infra-rbac-slack-infra@kubernetes.io"
],
"role": "organizations/758905017065/roles/secretmanager.secretLister"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was me manually trialing #1731 (comment) to help land #1696

It did not solve the problem, so I'll manually remove this binding

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ gcloud projects remove-iam-policy-binding kubernetes-public --member="group:k8s-infra-rbac-slack-infra@kubernetes.io" --role="organizations/758905017065/roles/secretmanager.secretLister"

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 31, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 31, 2021
@k8s-ci-robot k8s-ci-robot merged commit 9c5e53a into kubernetes:main Mar 31, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit Audit of project resources, audit followup issues, code in audit/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants