-
Notifications
You must be signed in to change notification settings - Fork 827
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read access to read access k8s-artifacts-gcslogs #1966
Read access to read access k8s-artifacts-gcslogs #1966
Conversation
Thanks @ameukam |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit otherwise LGTM
I still feel like moving the bucket to its own project might better accomplish the access rules laid out in #904 (comment) but if this gets us started for now so be it |
0d26e6c
to
dd7ea6a
Compare
Ref: kubernetes#1945 Inital request: https://groups.google.com/g/kubernetes-wg-k8s-infra/c/Wkw0uyMKSXk/m/QLVIAMZzAAAJ. Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
dd7ea6a
to
56c5025
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No objections to this alone, but I suspect it will just be the start
@ii will need bq.
…On Fri, 23 Apr 2021, 5:49 pm Arnaud M., ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In infra/gcp/ensure-prod-storage.sh
<#1966 (comment)>:
> @@ -359,6 +359,12 @@ color 6 "Handling special cases"
$(svc_acct_email "${GCR_BACKUP_TEST_PRODBAK_PROJECT}" "${PROMOTER_SVCACCT}")
done
+ # Special case: empower ***@***.*** to read k8s-artifacts-gcslogs
+ # k8s-artifacts-gcslogs receive and store Cloud Audit logs for k8s-artificats-prod.
+ ensure_gcs_role_binding "gs://k8s-artifacts-gcslogs" \
@thockin <https://github.com/thockin> I prefer to leave them the choice
of the analysis tool. I would take care of it if there is a need to use BQ.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1966 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHUY6HRYYYRFC4PZGG6OTTKEC43ANCNFSM43NLKAMA>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
I'll merge and deploy this as-is
Can migrate to a different bucket as followup, which I will track under the umbrella issue for GCS access logs: #904
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Ran
|
OK this is #1730 rearing its head. Time to tackle that to unblock us here |
A rerun appears to have successfully deployed these changes: #1998 (comment) |
Ref: #1945
Initial request:
https://groups.google.com/g/kubernetes-wg-k8s-infra/c/Wkw0uyMKSXk/m/QLVIAMZzAAAJ.
Signed-off-by: Arnaud Meukam ameukam@gmail.com