releng: Enable elevated privileges for Release Managers on SIG Release GCP projects #434
Conversation
k8s-ci-robot
added
the
sig/release
|
@justaugustus: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
justaugustus
force-pushed
the
grant-releng
branch
from
4a47c3c to
7beff2d
Compare
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
infra/gcp/ensure-release-projects.sh
Outdated
| function usage() { | ||
| echo "usage: $0 [repo...]" > /dev/stderr | ||
| echo "example:" > /dev/stderr | ||
| echo " $0 # do all staging repos" > /dev/stderr | ||
| echo " $0 coredns # just do one" > /dev/stderr | ||
| echo > /dev/stderr | ||
| } |
There was a problem hiding this comment.
When/how/where would that be called?
infra/gcp/ensure-release-projects.sh
Outdated
| WRITERS="release-managers-private@kubernetes.io" | ||
| VIEWERS="release-managers@kubernetes.io" | ||
|
|
||
| for REPO; do |
There was a problem hiding this comment.
TIL: you can omit the in WORDS ...
From help for:
for: for NAME [in WORDS ... ] ; do COMMANDS; done
[...]
Ifin WORDS ...;' is not present, thenin "$@"' is assumed.
[...]
How would you feel about changing that to explicitly use $@ for clarity?
for REPO in "$@"; do
...
doneI would even go further and do
for REPO in "${@:-${PROJECTS[@]}}"; do
...
doneinstead of doing the set -- ... and overriding global state. But that is not that easy to read/understand if you are not used to reading stuff like that and probably more importantly it is just my personal preference.
There was a problem hiding this comment.
Once I learned to embrace "$@" I started to prefer the simpler syntax, and this PR follows wstablished patterns
infra/gcp/ensure-release-projects.sh
Outdated
| color 3 "Configuring: ${REPO}" | ||
|
|
||
| # The GCP project name. | ||
| PROJECT="${REPO}" |
There was a problem hiding this comment.
Can we maybe just use PROJECT instead of REPO? As far as I can tell, we never use REPO further down, so can we just do for PROJECT ...?
There was a problem hiding this comment.
yes, the loop can be for PROJECT - "repo" is a holdover from the script he copied, I assume :)
| # $1: The GCP project | ||
| # $2: The group email | ||
| function empower_group_for_kms() { | ||
| if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then |
There was a problem hiding this comment.
Should we make that stricter by doing something like the below?
if [ $# -ne 2 -o -z "$1" -o -z "$2" ]; thenI saw, that other funcs here allow additional arguments, but that might just be a c&p "issue" from cases where additional optional arguments are allowed (e.g. empower_group_to_gcr or empower_gcr_admins).
There was a problem hiding this comment.
this is probably a good idea, but I'm OK to let this PR go in and fix it up across the board.
infra/gcp/ensure-release-projects.sh
Outdated
| echo "usage: $0 [repo...]" > /dev/stderr | ||
| echo "example:" > /dev/stderr | ||
| echo " $0 # do all staging repos" > /dev/stderr | ||
| echo " $0 coredns # just do one" > /dev/stderr |
There was a problem hiding this comment.
change "coredns" to a real (or realer-looking) example?
infra/gcp/ensure-release-projects.sh
Outdated
| set -- "${PROJECTS[@]}" | ||
| fi | ||
|
|
||
| ADMINS="release-managers-admins@kubernetes.io" |
There was a problem hiding this comment.
Casually looking at this, the distinctions are not clear. Why are release-managers just viewers? Do we need to rename groups? Can this be solved with docs here? Why do we need 3 distinct groups?
There was a problem hiding this comment.
Here's what each group would do:
release-managers@: Includes all Release Managers (including Release Manager Associates), so this needs to be least-privilege (allow Associates to view, but not create, edit, delete)release-managers-private@: Only includes Patch Release Team, Branch Managers, Build Admins, SIG Chairs (the set of users we want working on GCP, so we need edit here)release-managers-admins@: Only includes SIG Release Chairs and grants additional access to administer KMS (limited set of users, security event mitigation, key mgmt (store GitHub tokens, deb/rpm signing key))
There was a problem hiding this comment.
We should make distinctions here between "Groups that provide IAM roles" and "E-mail distribution lists". I would be concerned with someone getting access to the release artifacts simply because they become a SIG chair and need access to an e-mail list.
There was a problem hiding this comment.
I agree with @cblecker - there are the social groups (email) and the permissions groups, and I am not sure they are the same. Should being a SIG-chair automatically grant you access to GCP?
|
|
||
| # NB: Please keep this sorted. | ||
| PROJECTS=( | ||
| k8s-staging-release-test |
There was a problem hiding this comment.
currently these are covered by the other ensure-* scripts. Should we a) drop them from those, b) add this logic to those, c) refactor to make the overlap clear?
|
@thockin --
Yeah, totally agreed. This felt awkward to do, as it felt like shimming something into a model it doesn't really fit.
I think this projects would be more accurately named:
In an ideal world/future refactor, perhaps there could be one script, The overlap here is primarily because of copy/pasta. I think the future should also include yaml config for custom roles, instead of adhoc IAM attaches. |
|
(Just also noting that I went the copy/pasta route instead of refactoring because it wouldn't interfere with the other projects.) |
|
(@hoegaarden -- I'll come back and address your review once we land on an approach.) |
groups/groups.yaml
Outdated
| name: release-managers-admins | ||
| description: |- | ||
| Grants elevated privileges to SIG Release GCP projects. | ||
| Currently, this is restricted to SIG Release Chairs. |
There was a problem hiding this comment.
I've mentioned this before in other contexts, but tying privileges to "chairpersonship" of a SIG/WG is an anti-pattern we should try to avoid. These privileges should be tied to A) a unique role defined by the SIG (like "Release Admins" or whatever you want to call it) or B) ownership of a subproject, or even C) a list of people who are just "keyholders".
infra/gcp/ensure-release-projects.sh
Outdated
| set -- "${PROJECTS[@]}" | ||
| fi | ||
|
|
||
| ADMINS="release-managers-admins@kubernetes.io" |
There was a problem hiding this comment.
We should make distinctions here between "Groups that provide IAM roles" and "E-mail distribution lists". I would be concerned with someone getting access to the release artifacts simply because they become a SIG chair and need access to an e-mail list.
justaugustus
force-pushed
the
grant-releng
branch
from
7beff2d to
b9c4628
Compare
|
@cblecker --
Yep, yep. I think the last time we chatted about it was here: kubernetes/org#1205 (comment).
Combining the two (communication and access) is exactly what we wanted to do for the Release Manager lists. We also moved to kubernetes.io for a more "official" address and more importantly, to get the benefit of being able to manage this access via config/PR. More details can be found here: kubernetes/sig-release#732 |
groups/groups.yaml
Outdated
| owners: | ||
| - caselim@gmail.com | ||
| - cmiles@pivotal.io | ||
| - saugustus@vmware.com |
There was a problem hiding this comment.
why are we adding two accounts for Stephen and Tim? This means twice as many credentials that could leak. I'd like to make a policy that we explicitly NOT do this.
| # $1: The GCP project | ||
| # $2: The group email | ||
| function empower_group_for_kms() { | ||
| if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then |
There was a problem hiding this comment.
this is probably a good idea, but I'm OK to let this PR go in and fix it up across the board.
infra/gcp/ensure-release-projects.sh
Outdated
| function usage() { | ||
| echo "usage: $0 [repo...]" > /dev/stderr | ||
| echo "example:" > /dev/stderr | ||
| echo " $0 # do all staging repos" > /dev/stderr |
There was a problem hiding this comment.
s/staging repos/release projects
infra/gcp/ensure-release-projects.sh
Outdated
| function usage() { | ||
| echo "usage: $0 [repo...]" > /dev/stderr | ||
| echo "example:" > /dev/stderr | ||
| echo " $0 # do all staging repos" > /dev/stderr | ||
| echo " $0 coredns # just do one" > /dev/stderr | ||
| echo > /dev/stderr | ||
| } |
infra/gcp/ensure-release-projects.sh
Outdated
| set -- "${PROJECTS[@]}" | ||
| fi | ||
|
|
||
| ADMINS="release-managers-admins@kubernetes.io" |
There was a problem hiding this comment.
I agree with @cblecker - there are the social groups (email) and the permissions groups, and I am not sure they are the same. Should being a SIG-chair automatically grant you access to GCP?
infra/gcp/ensure-release-projects.sh
Outdated
| WRITERS="release-managers-private@kubernetes.io" | ||
| VIEWERS="release-managers@kubernetes.io" | ||
|
|
||
| for REPO; do |
There was a problem hiding this comment.
Once I learned to embrace "$@" I started to prefer the simpler syntax, and this PR follows wstablished patterns
infra/gcp/ensure-release-projects.sh
Outdated
| color 3 "Configuring: ${REPO}" | ||
|
|
||
| # The GCP project name. | ||
| PROJECT="${REPO}" |
There was a problem hiding this comment.
yes, the loop can be for PROJECT - "repo" is a holdover from the script he copied, I assume :)
| PROJECT="${REPO}" | ||
|
|
||
| # The names of the buckets | ||
| STAGING_BUCKET="gs://${PROJECT}" # used by humans |
There was a problem hiding this comment.
This is the piece I want to discuss most - Do we want these projects "governed" by 2 ensure scripts? This overlaps directly with the other scripts, which means it will drift.
There's a particular set of semantics that we ascribe to a "staging project" and a "prod project". You are adding on to that, clearly, but it's not clear if you are changing more than that. In other words - should we make a clean break and remove these release projects from the other scripts? Or should we build on those?
For example, this script could do something like:
# First ensure that the project is a normal staging project
"${ROOT}/ensure-staging-project.sh" release-test
# Now apply customizations for release staging
If it helps, we can refactor the existing scripts to make this more obvious. I knew this was likely to come up, so we it should not be hard - we left room.
justaugustus
force-pushed
the
grant-releng
branch
from
b9c4628 to
305528a
Compare
- `k8s-infra-release-admins@`: Partial Admin - `k8s-infra-release-editors@`: Editor - `k8s-infra-release-viewers@`: Viewer Signed-off-by: Stephen Augustus <saugustus@vmware.com>
Establishes rights to GCS, GCB, and KMS for Release Managers Signed-off-by: Stephen Augustus <saugustus@vmware.com>
justaugustus
force-pushed
the
grant-releng
branch
from
305528a to
984f719
Compare
|
@justaugustus: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Thanks! /lgtm |
k8s-ci-robot
added
the
lgtm
|
@justaugustus: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Awesome. Thanks y'all! |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Groups have been created. |
Add groups to delegate IAM access to Release Managers
k8s-infra-release-admins@: Partial Admink8s-infra-release-editors@: Editork8s-infra-release-viewers@: ViewerAdd ensure-release-projects to grant rights to Release Managers
Establishes rights to GCS, GCB, and KMS for Release Managers
Required for prototyping build/stage/release process on k8s-infra (kubernetes/release#911).
/assign @dims @thockin @cblecker
cc: @kubernetes/sig-release-admins @kubernetes/release-engineering
/sig release
/area release-eng