audit: update as of 2021-04-08 #1874

cncf-ci · 2021-04-06T00:18:44Z

Audit Updates wg-k8s-infra

k8s-ci-robot · 2021-04-06T00:18:52Z

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

spiffxp · 2021-04-06T13:42:02Z

audit/projects/k8s-infra-e2e-boskos-001/services/compute/project-info.json

@@ -3,7 +3,7 @@
    "items": [
      {
        "key": "ssh-keys",
-        "value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNmod3WnxDQ9f7EJSzZwvclM5CCDYZZXdx5K9cUa6CW/XJIsA/zurPZbH1jHp3QLX1DMR49GR+P8ACm6tP91qbVtdLxDyTeeLlRmXQEri7Bis2uwUXK7QkxmLgiUKzq95QwkYFGUafEy+we+OR4+Rj2C4rrFOriwqfWEjbGVPPt6ihfUauaSWKBkoF+X6YjJ+1zTtrQGqAyBpbhqCEUkWTOnG7Y7Wycqf30lw9Bs6ngw8QPhUyc3Pbjxj2aPOpDQVMPT03TjFT5F8pn2nU9trQuFdbnsY1Bjyd4Q2/jqfSjg1bbFEaEjV1FPHo/OeZNsXRTAj0Hh3A4KapLubvdT2n root@5d02d822-da00-11ea-8c1c-d23af84fd26f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/mk6vRaJfkpfIWG0Evihh/q0x5W5nz943WE69/mk+Q1hJOJpNj7GJc0y0moVsiVaXXVMXRAoC/wQDzB+XRf44Js2lojJmhABqG/kVEAwgwgLk/nEZATGbwyGbXFcq267f6jTGNOY9HbRrq6gMOyzdRy1uzX286Uav7gKBDY5IP3lBLOKX857D0XhIQx/ry9hmb5GzIKSSL1Zmv6O0iQqiubbVCglKdIZ1AQoIud5tvzmghb7fAACkPfQ9kqwrbLFVUh/nKRhIQxeOr2QF2Uv0/YQFiULb/iw70Z/QI8QDnUrnPq9MMIHR2YpkX0K3qZeguqNgToiuYu2d/1RXxhGF root@1c7dbf9d-e14f-11ea-8c67-968ff53f47c5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIm/Z3K0oPSZa0eLXTydSTcJFy9Gj1bE5QdAJt61f6abW0SQqlcez+PScnQFyqU8AFFRtO4kXB0JyDcobF3qQSXTN3P/NvV2psw/lHBes7uScfVDvfm7nDK1ndEbb24wBzXdc4wdZeCW+NoDEa8btslsSoGgINsUeI/oyME872WalXQuSiIFy4R7P3XmCXSePb8b+4HUa7vd5IpB+2K18oTmf+F93ZSPRJxTk8ZCJME6LnN7LxJkHYpnO+hC9IMPbAzWc0LDWpCNDuu0LO2rtvP/y/opj4it6i8l+FUg6hAHPlUos6vd3DCjkf3ylBwCAMOdRJp27DJmLx8+U+jiRz root@1e8e278f-f707-11ea-ae6d-8ed64f3416c0\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpcmjugW/itfeCL7WeZnea2YOEfzZgxMPTsvuHk39woyTRxJdjq4v/zMLSOXNBrdZFyqdW+F2ySS2GxCpvR5O2QKxEiqCcGOPK3xdQNRIP5mHtELgoPvPc4i22u3+ipfB/CrdrjN/ELwpUZXHrah5bNxOivEbNwYvQ3bMq+WbduRRLdKr10fwdyErywnqex4PvolxR2bOAnNdhakoUH31pSSECBKOX6YUh+TOG2Hh4wpyAJxSwxg7o5IgglU+ok9i6lK8g42CSlq+NBRp2AmoXd82KzXBfqpbTMJd2A8EnZrtq/VKGXFpWE4BzlA6+H7y3jxfcvTDfxH7I7YTgRUvB root@d99b53dd-f8b6-11ea-926e-7e7ea190b727\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtu4A2VuzGX/fH0HUjKcVqBi/+Fdd/kigCvQMWF3Uw6k8Q71l7ewcDDtfs+WDk06bNg50JsdaA+OcetrpL0yLPuKBvtSg/vl8msn8uxPbhHAgQ/QaaTLWYnztioPEsX4GHj6IcskwLGWNR+mIlqxY+cximmQ1O7hj1IGPNLuePysM9ZdpMDT7xOVc73PXd/t5+kZPjnKEQlsz5Zd7FtQH6QJ7ptKLYfcS062ZQlQJNaQPVIPk/TA9xLAEHaTSw0u1eJHuyXvbSbqvj8e/69wWMR32QmN6mKus3hQZjPMm+DzmDIWq2wt96i1eickCGSvpfXG4j6TIYmTVu3yTDe+ER root@1d6a8847-0838-11eb-b895-6272783fc925\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5eYrnUmX0URxEg778N+rOLSPqYJk1nPe3ppy/X7zf6rs514UlmBpftsI+ZC5iFxJKIfI1+IECBydUmMtcMeDNq6TJ+QtPaQjonX0jp7Cm4fdOmTfiDnuY1qhepvdKN7oWmZeNT1xrdAe8qeeLIbup92zIlU8++nusMmrAyvmmSjPtl41YNufj3g+4MEryQ6lq43RdkXT35GfZPdWUD3ZUrsc2b568NzBCdCG0j+/RYWHUxnRWiReJzhcrZX+dFACNL7Br5UVz6vmWNV8hLfrVJAAjHNtqWP0m4VCUOX84dfvmTa5I1xOjrqMNMLdWhNCKbR8zOJfaM86lzh66+yQv root@91bc69a5-532d-11eb-b6a5-7e8b7adfd54c\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2cYpeZLD9y25W19mQbvRxg7slzivZIV8y+p8XCIT2xddSl1HQ7Fz1Ir1iUzq0cqniTzHnmM8+RC47XaMMOaXaZjjPcpyNiaFOczCn9c4M5E48ipAa105HP9vj1yewWfgCbPxRP6QSweR8BOVLZHUpZwebPen1XwXUYrUBC0rhPHcFKPUtla4hlUEqI9/ca1yiohCUWDSpO9y5wazA54rZhkN/AHxhPCE0v8xcjJKbcZoUdyFFjY7kMXsL6AOpNwqpFzmhi01+ei3BikcRyKQnWAK15n+F0N4d1tYW5FPEAeepx/BsUnAlX3pji6N11c+sPg3laspWOvVTFgBWrpDd root@12716507-5573-11eb-b690-769430c9414e\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1HW5T8W/GHe9ba3zZhCR59IjYskzVSoR9KQQF97qG37mPsgvp+HZaFN4czh5Nq5SL7EbCZsROj50cMaO4Q37wCKvIQoWQtaFnBZkzvcADqPAyvIkGjsVRP7+3bSW+2vFr1bqmE8X5lFvIrAdR6BFbgirfTdeOT4SZo6OzyXm4mznYFQMxz5MIqNA+64qMq7UKWKYULRI33YMn8kvUVi3/sATPjOt4v0lQAM8i0g6IKw9MYlLNBQ9G7nH3tYWBBXAMboOT5TsGKGSt8FooNhxKuygbSyJoQL9T5x24sDjxqOVMvtTLRk3NtigdIcigiFgbRxGSmoNXGg9OIIP5Bcyh root@df1a6954-82ae-11eb-b915-56a8d6cedae4\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfySXJDe/9NLf9ek6OEu5CKV4ugzXnI4I+Ealg9fqaB2+S0BCsSGnrCOGUjKH0PWy85VqwhIhd+rTPz3sZRsbWTVvtnTWgLzBFnC20TuJlhmj+EUIIJcigSrkQcOOpGJi2trDBr1eXAN6SY9ZqHQRicndDVsJ9oi9eXrTUYoSwM+gbIWxscrRdvnsT61m1wLSmxJOoEb9013ow66j+RhDRd1MtJrrF1qoKOIPo9FtVHoOJuZ8gV2mASemGGx1xiTZSboDubvkKVroGzhG+uVEXaTqh7GJsmdN8yvjw/9qfphU7ihDuqZCIpiFx3HNV4tYsA6h1DhD92E7mInGC7Zsn root@d594c422-84c1-11eb-b098-eeb808a18dc8\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhsM5onslgH0nRFnAumVOGK9oHjF1t3VduBnRW5e3XgBu/qxoP3eT7qHYozRGTFLOrHPWIJ1ScyOEfV8cTT9aVNVamk3/5+UR34yOxQR/L5mrDyOd9o8hBvQ3BJiM6S775zQ4sy+oKTL9MMoT3m8/tC8n+lS+SNHyVFQXQmFEOLdiMN+qKenkYt5cv+lIzqKXUxtiJ5GQOsK2mY2TC+JtyeDSeCEjv1e/bmiEkWmiG1e550VdPffBfD0DOp5DWgkGM0a72SW1mPxjaxUy4ttk7JEPA76WiuLwG/mc6t28R5fmklQOyYK1LppGX1NhhLSGtwJ/abN8rgyWJqDyny+43 root@ad4d54b9-8af8-11eb-8155-227e2855667f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIciYtiBpbHldYdy3OXDuSRbR4SgnK/kzx3fVYKb6+HCyiPBFEPON6xuxBTgb2i5vwuWH4tq7zA25+8we95Y81DSUaPs3kOMS+m03Nwg76LmYZxZTF7HTCp72QMSFZFPp0hu+IZertWcJ21CrnA9nxOd/XfCS+ZgtbCDZW4MrUP4Dx/Gs1dUyqqla/0GvU7StQjwGHGs7j+59w5W2oYrK75pW1VETikPNISAKorNE9U6yOGmQHk9Iw4qkY3UpGYSB2wKLuNAH6dVPBxEkW+PqL8jiyaXsKWA8WGnxSZtm2LUuXbEJ7Va16AVkzz0NLecBaCtR3q+CL1fOoDO0wlqlr root@3c8b1b38-8c41-11eb-b692-3a35d43432cb\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFpnDgq2z7HFkMOm5cFxWC/ygaQZz6WIr/ADtBlkGNdfhXfQXOwPx6I9CuaUApj+6EmSUMWOHFJ+2vBqL7n06OEmua1zhNjYJxjyI9Fovektew6idwcXYntUmWoYusoVyitI8JLIh9qwuOp7JHDzIw3e28o6k+z8VliVNoe2k+O516x3CTlaYFpnJfxXi1YmCAPuq0i1YYNqJ6AvA1axHUeq0YYw3ruNriNsENlgwVUO3HP+JjxI5PIYZHFv/ZYvYgcXBfDMrT29BiC1CTM5dVtT9OstMxtSSOR2JB5PTN/FukNigdne2APgG00p/QZcNIDvVCoDgNI+mTrDdAMVfd root@3599990f-8e54-11eb-adda-5eb174036857\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGwOPOG1FFup69yB/68lDCeIz1/outPDVIpyhaPZhxpy11w3wp/XFbaS807TNUKRs0vD43vxX3U2OS+hl4g+8p+uRdT9bVoFm5+PqxsDuSVLI3Ch5/itCo+Ux37wLLda9eBPqHC7fvgNyFqly00MeviZr1mooxgdxDOgLb4UHtKI9ke9QXlcxBkkEcWFZe6KLM5spcau5N9mhMWJryoUfwBHY6L/zcdIC0+YtUCT4Gz94J3YHv/ADDYfo73r5IfDJHXFqEXfZo++4nGIjFsW32emLJW9+S99GkDrnQEjUpwiybhhDklsiFe98/+oX7iDJcvzsirhGtZnMnj6FoCJEV root@a9e3680e-914c-11eb-827a-4615317e4d96"
+        "value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNmod3WnxDQ9f7EJSzZwvclM5CCDYZZXdx5K9cUa6CW/XJIsA/zurPZbH1jHp3QLX1DMR49GR+P8ACm6tP91qbVtdLxDyTeeLlRmXQEri7Bis2uwUXK7QkxmLgiUKzq95QwkYFGUafEy+we+OR4+Rj2C4rrFOriwqfWEjbGVPPt6ihfUauaSWKBkoF+X6YjJ+1zTtrQGqAyBpbhqCEUkWTOnG7Y7Wycqf30lw9Bs6ngw8QPhUyc3Pbjxj2aPOpDQVMPT03TjFT5F8pn2nU9trQuFdbnsY1Bjyd4Q2/jqfSjg1bbFEaEjV1FPHo/OeZNsXRTAj0Hh3A4KapLubvdT2n root@5d02d822-da00-11ea-8c1c-d23af84fd26f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/mk6vRaJfkpfIWG0Evihh/q0x5W5nz943WE69/mk+Q1hJOJpNj7GJc0y0moVsiVaXXVMXRAoC/wQDzB+XRf44Js2lojJmhABqG/kVEAwgwgLk/nEZATGbwyGbXFcq267f6jTGNOY9HbRrq6gMOyzdRy1uzX286Uav7gKBDY5IP3lBLOKX857D0XhIQx/ry9hmb5GzIKSSL1Zmv6O0iQqiubbVCglKdIZ1AQoIud5tvzmghb7fAACkPfQ9kqwrbLFVUh/nKRhIQxeOr2QF2Uv0/YQFiULb/iw70Z/QI8QDnUrnPq9MMIHR2YpkX0K3qZeguqNgToiuYu2d/1RXxhGF root@1c7dbf9d-e14f-11ea-8c67-968ff53f47c5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIm/Z3K0oPSZa0eLXTydSTcJFy9Gj1bE5QdAJt61f6abW0SQqlcez+PScnQFyqU8AFFRtO4kXB0JyDcobF3qQSXTN3P/NvV2psw/lHBes7uScfVDvfm7nDK1ndEbb24wBzXdc4wdZeCW+NoDEa8btslsSoGgINsUeI/oyME872WalXQuSiIFy4R7P3XmCXSePb8b+4HUa7vd5IpB+2K18oTmf+F93ZSPRJxTk8ZCJME6LnN7LxJkHYpnO+hC9IMPbAzWc0LDWpCNDuu0LO2rtvP/y/opj4it6i8l+FUg6hAHPlUos6vd3DCjkf3ylBwCAMOdRJp27DJmLx8+U+jiRz root@1e8e278f-f707-11ea-ae6d-8ed64f3416c0\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpcmjugW/itfeCL7WeZnea2YOEfzZgxMPTsvuHk39woyTRxJdjq4v/zMLSOXNBrdZFyqdW+F2ySS2GxCpvR5O2QKxEiqCcGOPK3xdQNRIP5mHtELgoPvPc4i22u3+ipfB/CrdrjN/ELwpUZXHrah5bNxOivEbNwYvQ3bMq+WbduRRLdKr10fwdyErywnqex4PvolxR2bOAnNdhakoUH31pSSECBKOX6YUh+TOG2Hh4wpyAJxSwxg7o5IgglU+ok9i6lK8g42CSlq+NBRp2AmoXd82KzXBfqpbTMJd2A8EnZrtq/VKGXFpWE4BzlA6+H7y3jxfcvTDfxH7I7YTgRUvB root@d99b53dd-f8b6-11ea-926e-7e7ea190b727\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtu4A2VuzGX/fH0HUjKcVqBi/+Fdd/kigCvQMWF3Uw6k8Q71l7ewcDDtfs+WDk06bNg50JsdaA+OcetrpL0yLPuKBvtSg/vl8msn8uxPbhHAgQ/QaaTLWYnztioPEsX4GHj6IcskwLGWNR+mIlqxY+cximmQ1O7hj1IGPNLuePysM9ZdpMDT7xOVc73PXd/t5+kZPjnKEQlsz5Zd7FtQH6QJ7ptKLYfcS062ZQlQJNaQPVIPk/TA9xLAEHaTSw0u1eJHuyXvbSbqvj8e/69wWMR32QmN6mKus3hQZjPMm+DzmDIWq2wt96i1eickCGSvpfXG4j6TIYmTVu3yTDe+ER root@1d6a8847-0838-11eb-b895-6272783fc925\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5eYrnUmX0URxEg778N+rOLSPqYJk1nPe3ppy/X7zf6rs514UlmBpftsI+ZC5iFxJKIfI1+IECBydUmMtcMeDNq6TJ+QtPaQjonX0jp7Cm4fdOmTfiDnuY1qhepvdKN7oWmZeNT1xrdAe8qeeLIbup92zIlU8++nusMmrAyvmmSjPtl41YNufj3g+4MEryQ6lq43RdkXT35GfZPdWUD3ZUrsc2b568NzBCdCG0j+/RYWHUxnRWiReJzhcrZX+dFACNL7Br5UVz6vmWNV8hLfrVJAAjHNtqWP0m4VCUOX84dfvmTa5I1xOjrqMNMLdWhNCKbR8zOJfaM86lzh66+yQv root@91bc69a5-532d-11eb-b6a5-7e8b7adfd54c\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2cYpeZLD9y25W19mQbvRxg7slzivZIV8y+p8XCIT2xddSl1HQ7Fz1Ir1iUzq0cqniTzHnmM8+RC47XaMMOaXaZjjPcpyNiaFOczCn9c4M5E48ipAa105HP9vj1yewWfgCbPxRP6QSweR8BOVLZHUpZwebPen1XwXUYrUBC0rhPHcFKPUtla4hlUEqI9/ca1yiohCUWDSpO9y5wazA54rZhkN/AHxhPCE0v8xcjJKbcZoUdyFFjY7kMXsL6AOpNwqpFzmhi01+ei3BikcRyKQnWAK15n+F0N4d1tYW5FPEAeepx/BsUnAlX3pji6N11c+sPg3laspWOvVTFgBWrpDd root@12716507-5573-11eb-b690-769430c9414e\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1HW5T8W/GHe9ba3zZhCR59IjYskzVSoR9KQQF97qG37mPsgvp+HZaFN4czh5Nq5SL7EbCZsROj50cMaO4Q37wCKvIQoWQtaFnBZkzvcADqPAyvIkGjsVRP7+3bSW+2vFr1bqmE8X5lFvIrAdR6BFbgirfTdeOT4SZo6OzyXm4mznYFQMxz5MIqNA+64qMq7UKWKYULRI33YMn8kvUVi3/sATPjOt4v0lQAM8i0g6IKw9MYlLNBQ9G7nH3tYWBBXAMboOT5TsGKGSt8FooNhxKuygbSyJoQL9T5x24sDjxqOVMvtTLRk3NtigdIcigiFgbRxGSmoNXGg9OIIP5Bcyh root@df1a6954-82ae-11eb-b915-56a8d6cedae4\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfySXJDe/9NLf9ek6OEu5CKV4ugzXnI4I+Ealg9fqaB2+S0BCsSGnrCOGUjKH0PWy85VqwhIhd+rTPz3sZRsbWTVvtnTWgLzBFnC20TuJlhmj+EUIIJcigSrkQcOOpGJi2trDBr1eXAN6SY9ZqHQRicndDVsJ9oi9eXrTUYoSwM+gbIWxscrRdvnsT61m1wLSmxJOoEb9013ow66j+RhDRd1MtJrrF1qoKOIPo9FtVHoOJuZ8gV2mASemGGx1xiTZSboDubvkKVroGzhG+uVEXaTqh7GJsmdN8yvjw/9qfphU7ihDuqZCIpiFx3HNV4tYsA6h1DhD92E7mInGC7Zsn root@d594c422-84c1-11eb-b098-eeb808a18dc8\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhsM5onslgH0nRFnAumVOGK9oHjF1t3VduBnRW5e3XgBu/qxoP3eT7qHYozRGTFLOrHPWIJ1ScyOEfV8cTT9aVNVamk3/5+UR34yOxQR/L5mrDyOd9o8hBvQ3BJiM6S775zQ4sy+oKTL9MMoT3m8/tC8n+lS+SNHyVFQXQmFEOLdiMN+qKenkYt5cv+lIzqKXUxtiJ5GQOsK2mY2TC+JtyeDSeCEjv1e/bmiEkWmiG1e550VdPffBfD0DOp5DWgkGM0a72SW1mPxjaxUy4ttk7JEPA76WiuLwG/mc6t28R5fmklQOyYK1LppGX1NhhLSGtwJ/abN8rgyWJqDyny+43 root@ad4d54b9-8af8-11eb-8155-227e2855667f\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIciYtiBpbHldYdy3OXDuSRbR4SgnK/kzx3fVYKb6+HCyiPBFEPON6xuxBTgb2i5vwuWH4tq7zA25+8we95Y81DSUaPs3kOMS+m03Nwg76LmYZxZTF7HTCp72QMSFZFPp0hu+IZertWcJ21CrnA9nxOd/XfCS+ZgtbCDZW4MrUP4Dx/Gs1dUyqqla/0GvU7StQjwGHGs7j+59w5W2oYrK75pW1VETikPNISAKorNE9U6yOGmQHk9Iw4qkY3UpGYSB2wKLuNAH6dVPBxEkW+PqL8jiyaXsKWA8WGnxSZtm2LUuXbEJ7Va16AVkzz0NLecBaCtR3q+CL1fOoDO0wlqlr root@3c8b1b38-8c41-11eb-b692-3a35d43432cb\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFpnDgq2z7HFkMOm5cFxWC/ygaQZz6WIr/ADtBlkGNdfhXfQXOwPx6I9CuaUApj+6EmSUMWOHFJ+2vBqL7n06OEmua1zhNjYJxjyI9Fovektew6idwcXYntUmWoYusoVyitI8JLIh9qwuOp7JHDzIw3e28o6k+z8VliVNoe2k+O516x3CTlaYFpnJfxXi1YmCAPuq0i1YYNqJ6AvA1axHUeq0YYw3ruNriNsENlgwVUO3HP+JjxI5PIYZHFv/ZYvYgcXBfDMrT29BiC1CTM5dVtT9OstMxtSSOR2JB5PTN/FukNigdne2APgG00p/QZcNIDvVCoDgNI+mTrDdAMVfd root@3599990f-8e54-11eb-adda-5eb174036857\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGwOPOG1FFup69yB/68lDCeIz1/outPDVIpyhaPZhxpy11w3wp/XFbaS807TNUKRs0vD43vxX3U2OS+hl4g+8p+uRdT9bVoFm5+PqxsDuSVLI3Ch5/itCo+Ux37wLLda9eBPqHC7fvgNyFqly00MeviZr1mooxgdxDOgLb4UHtKI9ke9QXlcxBkkEcWFZe6KLM5spcau5N9mhMWJryoUfwBHY6L/zcdIC0+YtUCT4Gz94J3YHv/ADDYfo73r5IfDJHXFqEXfZo++4nGIjFsW32emLJW9+S99GkDrnQEjUpwiybhhDklsiFe98/+oX7iDJcvzsirhGtZnMnj6FoCJEV root@a9e3680e-914c-11eb-827a-4615317e4d96\nkubetest2:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow"


The first and last entries in here look identical. Which makes me think kubetest2 is starting to reuse keys. But I'm not clear why it didn't pick up the first entry.

audit/projects/k8s-infra-e2e-boskos-013/iam.json

spiffxp · 2021-04-06T19:04:49Z

audit/projects/k8s-staging-e2e-test-images/services/enabled.txt

-NAME                                 TITLE
-bigquery.googleapis.com              BigQuery API
-bigquerystorage.googleapis.com       BigQuery Storage API
-cloudbuild.googleapis.com            Cloud Build API
-cloudkms.googleapis.com              Cloud Key Management Service (KMS) API
-compute.googleapis.com               Compute Engine API
-container.googleapis.com             Kubernetes Engine API
-containeranalysis.googleapis.com     Container Analysis API
-containerregistry.googleapis.com     Container Registry API
-containerscanning.googleapis.com     Container Scanning API
-iam.googleapis.com                   Identity and Access Management (IAM) API
-iamcredentials.googleapis.com        IAM Service Account Credentials API
-logging.googleapis.com               Cloud Logging API
-monitoring.googleapis.com            Cloud Monitoring API
-oslogin.googleapis.com               Cloud OS Login API
-policytroubleshooter.googleapis.com  Policy Troubleshooter API
-pubsub.googleapis.com                Cloud Pub/Sub API
-secretmanager.googleapis.com         Secret Manager API
-storage-api.googleapis.com           Google Cloud Storage JSON API
-storage-component.googleapis.com     Cloud Storage
+NAME                              TITLE
+cloudbuild.googleapis.com         Cloud Build API
+cloudkms.googleapis.com           Cloud Key Management Service (KMS) API
+containeranalysis.googleapis.com  Container Analysis API
+containerregistry.googleapis.com  Container Registry API
+containerscanning.googleapis.com  Container Scanning API
+logging.googleapis.com            Cloud Logging API
+pubsub.googleapis.com             Cloud Pub/Sub API
+secretmanager.googleapis.com      Secret Manager API
+storage-api.googleapis.com        Google Cloud Storage JSON API
+storage-component.googleapis.com  Cloud Storage


This is expected, due to #1859 (comment)

Also explains the file deletions above related to bigquery and clusters

EDIT: ignore the comment I made about kubernetes-public here...

spiffxp · 2021-04-06T19:05:11Z

audit/projects/k8s-staging-e2e-test-images/services/compute/project-info.json

-  "defaultServiceAccount": "456067983721-compute@developer.gserviceaccount.com",
-  "id": "2870902180273058730",
-  "kind": "compute#project",
-  "name": "k8s-staging-e2e-test-images",


This is expected, compute was disabled via #1859 (comment)

spiffxp · 2021-04-06T19:09:46Z

audit/projects/kubernetes-public/iam.json

-    {
-      "members": [
-        "user:domain-admin-lf@kubernetes.io",
-        "user:ihor@cncf.io",
-        "user:psharma@linuxfoundation.org",
-        "user:thockin@google.com"
-      ],
-      "role": "roles/owner"
-    },


This was expected, due to #1859 (comment)

The ensure_project function now automatically removes any user:* binding to roles/owner on projects.

These bindings were redundant; everyone removed here is bound to a role at the organization level (either directly or through a group) that effectively grants roles/owner for everything (including this specific project)

spiffxp · 2021-04-06T19:10:08Z

audit/projects/kubernetes-public/roles/ServiceAccountLister.json

-{
-  "description": "Can list ServiceAccounts.",
-  "includedPermissions": [
-    "iam.serviceAccounts.list"
-  ],
-  "name": "projects/kubernetes-public/roles/ServiceAccountLister",
-  "stage": "GA",
-  "title": "Service Account Lister"
-}


This was expected, due to #1859 (comment)

spiffxp

Latest commit picked up changes from script runs I did as part of #1859

Nothing too surprising, and good confirmation that I cleaned up what I thought I did.

I'll hold open for one more round of changes

spiffxp · 2021-04-07T04:34:56Z

audit/projects/k8s-infra-e2e-boskos-002/iam.json

-        "group:k8s-infra-prow-oncall@kubernetes.io",
-        "user:spiffxp@google.com"
+        "group:k8s-infra-prow-oncall@kubernetes.io"


This change is expected for all k8s-infra-e2e-* projects due to #1859 (comment)

This addresses #299 for all k8s-infra-e2e-* projects

spiffxp · 2021-04-07T04:37:03Z

audit/projects/k8s-staging-addon-manager/iam.json

-    {
-      "members": [
-        "user:spiffxp@google.com"
-      ],
-      "role": "roles/owner"
-    },


This change is expected due to #1859 (comment)

This addresses #299 for all k8s-staging-* projects

spiffxp · 2021-04-07T04:37:52Z

audit/projects/k8s-staging-artifact-promoter/services/compute/project-info.json

-  "defaultNetworkTier": "PREMIUM",
-  "defaultServiceAccount": "675573440409-compute@developer.gserviceaccount.com",
-  "id": "1279192389912504869",
-  "kind": "compute#project",


Removal of compute project-info is expected due to disablement of the compute service (see other review comments); this service should not have been enabled in the first place

spiffxp · 2021-04-07T04:38:55Z

audit/projects/k8s-staging-artifact-promoter/services/enabled.txt

@@ -1,12 +1,10 @@
 NAME                              TITLE
 cloudbuild.googleapis.com         Cloud Build API
 cloudkms.googleapis.com           Cloud Key Management Service (KMS) API
-compute.googleapis.com            Compute Engine API


Service changes in k8s-staging projects are expected due to #1859 (comment)

This addresses #1675

spiffxp · 2021-04-07T04:41:05Z

audit/projects/k8s-staging-capi-docker/services/dns/info.json

@@ -1,53 +0,0 @@
-{
-  "id": "k8s-staging-capi-docker",
-  "kind": "dns#project",


Removal of dns info is expected due to disablement of the dns service (see other review comments); this service should not have been enabled in the first place

spiffxp · 2021-04-07T04:46:10Z

...s/k8s-staging-k8s-gsm-tools/buckets/artifacts.k8s-staging-k8s-gsm-tools.appspot.com/iam.json

-        "group:k8s-infra-artifact-admins@kubernetes.io"
+        "group:k8s-infra-staging-k8s-gsm-tools@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-staging-k8s-gsm-tools@kubernetes.io"


These GCS bucket IAM changes for k8s-staging-gsm-tools are a little surprising to me.

I mean, I know this was a result of running ./ensure-staging-storage.sh to ensure all staging projects were consistent. I'm just surprised these weren't here in the first place.

TBH I would like to get rid of the legacy bindings if possible

spiffxp · 2021-04-07T04:52:59Z

audit/projects/k8s-staging-sig-storage/iam.json

+        "serviceAccount:272675062337-compute@developer.gserviceaccount.com",
        "serviceAccount:272675062337@cloudservices.gserviceaccount.com",
-        "serviceAccount:service-272675062337@containerregistry.iam.gserviceaccount.com",
-        "serviceAccount:272675062337-compute@developer.gserviceaccount.com"
+        "serviceAccount:service-272675062337@containerregistry.iam.gserviceaccount.com"


I'm mildly surprised these weren't alpha-sorted before.

It looks like the compute service account binding sticks around even after the compute service is disabled.

I'll bucket this under another thing to check out as part of #1665

spiffxp · 2021-04-08T17:24:38Z

/ok-to-test

spiffxp

/approve
/lgtm
/hold cancel
I opened one followup issue. Everything else here basically reflects #1859 being run

spiffxp · 2021-04-08T17:26:36Z

audit/org_kubernetes.io/roles/CustomRole.json

@@ -1,6 +1,7 @@
 {
  "description": "View access to billing info",
  "includedPermissions": [
+    "billing.accounts.getPricing",


Org level role changes are expected. There were a result of running ./infra/gcp/ensure-organization.sh after having refreshed roles, ref: #1859 (comment)

spiffxp · 2021-04-08T17:27:50Z

audit/projects/k8s-artifacts-prod-bak/iam.json

-    {
-      "members": [
-        "user:thockin@google.com"
-      ],
-      "role": "roles/owner"
-    },


Expected, a result of running ./infra/gcp/ensure-prod-storage.sh, ref: #1859 (comment)

Closes out #299 for k8s-artifacts-* projects

spiffxp · 2021-04-08T17:28:23Z

audit/projects/k8s-conform/iam.json

-    {
-      "members": [
-        "user:thockin@google.com"
-      ],
-      "role": "roles/owner"
-    },


Expected, a result of running ./infra/gcp/ensure-conformance-storage.sh, ref: #1859 (comment)

Closes out #299 for k8s-conform

spiffxp · 2021-04-08T17:28:55Z

audit/projects/k8s-gsuite/iam.json

@@ -2,7 +2,6 @@
  "bindings": [
    {
      "members": [
-        "user:thockin@google.com",


Expected, a result of running ./infra/gcp/ensure-gsuite.sh, ref: #1859 (comment)

Closes out #299 for k8s-gsuite project

spiffxp · 2021-04-08T17:30:09Z

audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/iam.json

@@ -2,6 +2,7 @@
  "bindings": [
    {
      "members": [
+        "group:k8s-infra-group-admins@kubernetes.io",


A result of running ./infra/gcp/ensure-gsuite.sh, ref: #1859 (comment)

I'm surprised this binding wasn't here already, guessing someone didn't run this script after making a change (and it was probably me)

spiffxp · 2021-04-08T17:35:29Z

audit/projects/k8s-release/iam.json

+      "members": [
+        "serviceAccount:service-304687256732@gcp-sa-containerscanning.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containerscanning.ServiceAgent"


To fix as followup.

I copy-pasted the same set of services used by ensure-staging-storage.sh to ensure-release-storage.sh and ran it

Then I realized containerscanning.googleapis.com wasn't previously enabled here

I edited ensure-release-storage.sh to remove the service, and re-ran

But... I didn't set the obnoxiously long env var to actually disable services

#1887 for followup

k8s-ci-robot · 2021-04-08T18:41:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

spiffxp · 2021-04-08T18:41:33Z

/assign @thockin
if you want to review post-merge

k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 6, 2021

k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/audit Audit of project resources, audit followup issues, code in audit/ wg/k8s-infra size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 6, 2021

k8s-ci-robot requested review from spiffxp and thockin April 6, 2021 00:18

cncf-ci force-pushed the autoaudit-prow branch 2 times, most recently from 37abf75 to 1294ef9 Compare April 6, 2021 12:09

spiffxp reviewed Apr 6, 2021

View reviewed changes

cncf-ci force-pushed the autoaudit-prow branch from 1294ef9 to 15072c4 Compare April 6, 2021 18:12

k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 6, 2021

spiffxp reviewed Apr 6, 2021

View reviewed changes

cncf-ci changed the title ~~audit: update as of 2021-04-06~~ audit: update as of 2021-04-07 Apr 7, 2021

cncf-ci force-pushed the autoaudit-prow branch from 15072c4 to 9b47ff3 Compare April 7, 2021 00:12

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 7, 2021

spiffxp reviewed Apr 7, 2021

View reviewed changes

cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from ca139dd to 54743ef Compare April 7, 2021 18:14

cncf-ci changed the title ~~audit: update as of 2021-04-07~~ audit: update as of 2021-04-08 Apr 8, 2021

cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from 428dc18 to cd17c1f Compare April 8, 2021 12:19

k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Apr 8, 2021

k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 8, 2021

spiffxp mentioned this pull request Apr 8, 2021

Refresh infra scripts to address audit followups, reduce output noise #1859

Merged

audit: update as of 2021-04-08

1c65b6e

cncf-ci force-pushed the autoaudit-prow branch from cd17c1f to 1c65b6e Compare April 8, 2021 18:17

spiffxp approved these changes Apr 8, 2021

View reviewed changes

k8s-ci-robot assigned spiffxp Apr 8, 2021

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 8, 2021

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 8, 2021

k8s-ci-robot assigned thockin Apr 8, 2021

k8s-ci-robot merged commit c943934 into kubernetes:main Apr 8, 2021

k8s-ci-robot added this to the v1.21 milestone Apr 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

audit: update as of 2021-04-08 #1874

audit: update as of 2021-04-08 #1874

cncf-ci commented Apr 6, 2021

k8s-ci-robot commented Apr 6, 2021

spiffxp Apr 6, 2021

spiffxp Apr 6, 2021

spiffxp Apr 6, 2021 •

edited

Loading

spiffxp Apr 6, 2021

spiffxp Apr 6, 2021

spiffxp Apr 6, 2021

spiffxp left a comment

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp Apr 7, 2021

spiffxp commented Apr 8, 2021

spiffxp left a comment

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

spiffxp Apr 8, 2021

k8s-ci-robot commented Apr 8, 2021

spiffxp commented Apr 8, 2021

audit: update as of 2021-04-08 #1874

audit: update as of 2021-04-08 #1874

Conversation

cncf-ci commented Apr 6, 2021

k8s-ci-robot commented Apr 6, 2021

Choose a reason for hiding this comment

Choose a reason for hiding this comment

spiffxp Apr 6, 2021 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

spiffxp left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

spiffxp commented Apr 8, 2021

spiffxp left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

k8s-ci-robot commented Apr 8, 2021

spiffxp commented Apr 8, 2021

spiffxp Apr 6, 2021 •

edited

Loading