diff --git a/audit/projects/k8s-staging-artifact-promoter/services/compute/project-info.json b/audit/projects/k8s-staging-artifact-promoter/services/compute/project-info.json index baed8ea9fda..4e2edf3f3ea 100644 --- a/audit/projects/k8s-staging-artifact-promoter/services/compute/project-info.json +++ b/audit/projects/k8s-staging-artifact-promoter/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-capi-docker/iam.json b/audit/projects/k8s-staging-capi-docker/iam.json index f824bcccc04..49e8f2bc823 100644 --- a/audit/projects/k8s-staging-capi-docker/iam.json +++ b/audit/projects/k8s-staging-capi-docker/iam.json @@ -20,6 +20,12 @@ ], "role": "roles/cloudbuild.serviceAgent" }, + { + "members": [ + "serviceAccount:service-44019431644@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, { "members": [ "serviceAccount:service-44019431644@container-analysis.iam.gserviceaccount.com" @@ -40,6 +46,8 @@ }, { "members": [ + "serviceAccount:44019431644-compute@developer.gserviceaccount.com", + "serviceAccount:44019431644@cloudservices.gserviceaccount.com", "serviceAccount:service-44019431644@containerregistry.iam.gserviceaccount.com" ], "role": "roles/editor" diff --git a/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/description.json b/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/description.json new file mode 100644 index 00000000000..dd0aae8c930 --- /dev/null +++ b/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "displayName": "Compute Engine default service account", + "email": "44019431644-compute@developer.gserviceaccount.com", + "name": "projects/k8s-staging-capi-docker/serviceAccounts/44019431644-compute@developer.gserviceaccount.com", + "oauth2ClientId": "108793772350733493223", + "projectId": "k8s-staging-capi-docker", + "uniqueId": "108793772350733493223" +} diff --git a/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/iam.json b/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/iam.json new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/audit/projects/k8s-staging-capi-docker/service-accounts/44019431644-compute@developer.gserviceaccount.com/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/k8s-staging-capi-docker/services/compute/project-info.json b/audit/projects/k8s-staging-capi-docker/services/compute/project-info.json new file mode 100644 index 00000000000..436ac692c13 --- /dev/null +++ b/audit/projects/k8s-staging-capi-docker/services/compute/project-info.json @@ -0,0 +1,167 @@ +{ + "commonInstanceMetadata": { + "kind": "compute#metadata" + }, + "creationTimestamp": "2021-02-16T16:34:10.559-08:00", + "defaultNetworkTier": "PREMIUM", + "defaultServiceAccount": "44019431644-compute@developer.gserviceaccount.com", + "id": "1894482911793633901", + "kind": "compute#project", + "name": "k8s-staging-capi-docker", + "quotas": [ + { + "limit": 10000, + "metric": "SNAPSHOTS" + }, + { + "limit": 30, + "metric": "NETWORKS" + }, + { + "limit": 500, + "metric": "FIREWALLS" + }, + { + "limit": 5000, + "metric": "IMAGES" + }, + { + "limit": 175, + "metric": "STATIC_ADDRESSES" + }, + { + "limit": 300, + "metric": "ROUTES" + }, + { + "limit": 150, + "metric": "FORWARDING_RULES" + }, + { + "limit": 500, + "metric": "TARGET_POOLS" + }, + { + "limit": 500, + "metric": "HEALTH_CHECKS" + }, + { + "limit": 575, + "metric": "IN_USE_ADDRESSES" + }, + { + "limit": 500, + "metric": "TARGET_INSTANCES" + }, + { + "limit": 100, + "metric": "TARGET_HTTP_PROXIES" + }, + { + "limit": 100, + "metric": "URL_MAPS" + }, + { + "limit": 30, + "metric": "BACKEND_SERVICES" + }, + { + "limit": 1000, + "metric": "INSTANCE_TEMPLATES" + }, + { + "limit": 50, + "metric": "TARGET_VPN_GATEWAYS" + }, + { + "limit": 100, + "metric": "VPN_TUNNELS" + }, + { + "limit": 30, + "metric": "BACKEND_BUCKETS" + }, + { + "limit": 20, + "metric": "ROUTERS" + }, + { + "limit": 100, + "metric": "TARGET_SSL_PROXIES" + }, + { + "limit": 100, + "metric": "TARGET_HTTPS_PROXIES" + }, + { + "limit": 100, + "metric": "SSL_CERTIFICATES" + }, + { + "limit": 275, + "metric": "SUBNETWORKS" + }, + { + "limit": 100, + "metric": "TARGET_TCP_PROXIES" + }, + { + "limit": 10, + "metric": "SECURITY_POLICIES" + }, + { + "limit": 200, + "metric": "SECURITY_POLICY_RULES" + }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, + { + "limit": 150, + "metric": "PACKET_MIRRORINGS" + }, + { + "limit": 1000, + "metric": "NETWORK_ENDPOINT_GROUPS" + }, + { + "limit": 6, + "metric": "INTERCONNECTS" + }, + { + "limit": 5000, + "metric": "GLOBAL_INTERNAL_ADDRESSES" + }, + { + "limit": 50, + "metric": "VPN_GATEWAYS" + }, + { + "limit": 5000, + "metric": "MACHINE_IMAGES" + }, + { + "limit": 20, + "metric": "SECURITY_POLICY_CEVAL_RULES" + }, + { + "limit": 50, + "metric": "EXTERNAL_VPN_GATEWAYS" + }, + { + "limit": 1, + "metric": "PUBLIC_ADVERTISED_PREFIXES" + }, + { + "limit": 10, + "metric": "PUBLIC_DELEGATED_PREFIXES" + }, + { + "limit": 1024, + "metric": "STATIC_BYOIP_ADDRESSES" + } + ], + "selfLink": "https://www.googleapis.com/compute/v1/projects/k8s-staging-capi-docker", + "xpnProjectStatus": "UNSPECIFIED_XPN_PROJECT_STATUS" +} diff --git a/audit/projects/k8s-staging-capi-docker/services/dns/info.json b/audit/projects/k8s-staging-capi-docker/services/dns/info.json index 33889210947..a8b96d9e2c0 100644 --- a/audit/projects/k8s-staging-capi-docker/services/dns/info.json +++ b/audit/projects/k8s-staging-capi-docker/services/dns/info.json @@ -4,7 +4,6 @@ "number": "44019431644", "quota": { "dnsKeysPerManagedZone": 4, - "gkeClustersPerPolicy": 100, "kind": "dns#quota", "managedZones": 10000, "managedZonesPerNetwork": 10000, diff --git a/audit/projects/k8s-staging-capi-docker/services/enabled.txt b/audit/projects/k8s-staging-capi-docker/services/enabled.txt index d890cc70851..da913ca321e 100644 --- a/audit/projects/k8s-staging-capi-docker/services/enabled.txt +++ b/audit/projects/k8s-staging-capi-docker/services/enabled.txt @@ -1,11 +1,13 @@ NAME TITLE cloudbuild.googleapis.com Cloud Build API cloudkms.googleapis.com Cloud Key Management Service (KMS) API +compute.googleapis.com Compute Engine API containeranalysis.googleapis.com Container Analysis API containerregistry.googleapis.com Container Registry API containerscanning.googleapis.com Container Scanning API dns.googleapis.com Cloud DNS API logging.googleapis.com Cloud Logging API +oslogin.googleapis.com Cloud OS Login API pubsub.googleapis.com Cloud Pub/Sub API secretmanager.googleapis.com Secret Manager API storage-api.googleapis.com Google Cloud Storage JSON API diff --git a/audit/projects/k8s-staging-capi-openstack/services/compute/project-info.json b/audit/projects/k8s-staging-capi-openstack/services/compute/project-info.json index 4185e704a15..a1be4ac981f 100644 --- a/audit/projects/k8s-staging-capi-openstack/services/compute/project-info.json +++ b/audit/projects/k8s-staging-capi-openstack/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-cip-test/services/compute/project-info.json b/audit/projects/k8s-staging-cip-test/services/compute/project-info.json index ef43b3518e7..faf73d355f2 100644 --- a/audit/projects/k8s-staging-cip-test/services/compute/project-info.json +++ b/audit/projects/k8s-staging-cip-test/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-cluster-api-aws/services/compute/project-info.json b/audit/projects/k8s-staging-cluster-api-aws/services/compute/project-info.json index 582005316ac..a68b0539040 100644 --- a/audit/projects/k8s-staging-cluster-api-aws/services/compute/project-info.json +++ b/audit/projects/k8s-staging-cluster-api-aws/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-cluster-api/services/compute/project-info.json b/audit/projects/k8s-staging-cluster-api/services/compute/project-info.json index 260908d703c..8529ccddc8a 100644 --- a/audit/projects/k8s-staging-cluster-api/services/compute/project-info.json +++ b/audit/projects/k8s-staging-cluster-api/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-coredns/services/compute/project-info.json b/audit/projects/k8s-staging-coredns/services/compute/project-info.json index fb615ff8775..180957dc9b9 100644 --- a/audit/projects/k8s-staging-coredns/services/compute/project-info.json +++ b/audit/projects/k8s-staging-coredns/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-csi/services/compute/project-info.json b/audit/projects/k8s-staging-csi/services/compute/project-info.json index 061d820e40d..727ffb86ae8 100644 --- a/audit/projects/k8s-staging-csi/services/compute/project-info.json +++ b/audit/projects/k8s-staging-csi/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-e2e-test-images/buckets/artifacts.k8s-staging-e2e-test-images.appspot.com/iam.json b/audit/projects/k8s-staging-e2e-test-images/buckets/artifacts.k8s-staging-e2e-test-images.appspot.com/iam.json index 1eb393dacb2..017a0e06bfc 100644 --- a/audit/projects/k8s-staging-e2e-test-images/buckets/artifacts.k8s-staging-e2e-test-images.appspot.com/iam.json +++ b/audit/projects/k8s-staging-e2e-test-images/buckets/artifacts.k8s-staging-e2e-test-images.appspot.com/iam.json @@ -4,7 +4,8 @@ "members": [ "group:k8s-infra-artifact-admins@kubernetes.io", "projectEditor:k8s-staging-e2e-test-images", - "projectOwner:k8s-staging-e2e-test-images" + "projectOwner:k8s-staging-e2e-test-images", + "serviceAccount:456067983721@cloudbuild.gserviceaccount.com" ], "role": "roles/storage.legacyBucketOwner" }, diff --git a/audit/projects/k8s-staging-e2e-test-images/services/compute/project-info.json b/audit/projects/k8s-staging-e2e-test-images/services/compute/project-info.json index 1b856d55781..9f01002f0e7 100644 --- a/audit/projects/k8s-staging-e2e-test-images/services/compute/project-info.json +++ b/audit/projects/k8s-staging-e2e-test-images/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-staging-e2e-test-images/services/enabled.txt b/audit/projects/k8s-staging-e2e-test-images/services/enabled.txt index 3f34c5ceaf6..c77a6232e1f 100644 --- a/audit/projects/k8s-staging-e2e-test-images/services/enabled.txt +++ b/audit/projects/k8s-staging-e2e-test-images/services/enabled.txt @@ -1,19 +1,20 @@ -NAME TITLE -bigquery.googleapis.com BigQuery API -bigquerystorage.googleapis.com BigQuery Storage API -cloudbuild.googleapis.com Cloud Build API -cloudkms.googleapis.com Cloud Key Management Service (KMS) API -compute.googleapis.com Compute Engine API -container.googleapis.com Kubernetes Engine API -containeranalysis.googleapis.com Container Analysis API -containerregistry.googleapis.com Container Registry API -containerscanning.googleapis.com Container Scanning API -iam.googleapis.com Identity and Access Management (IAM) API -iamcredentials.googleapis.com IAM Service Account Credentials API -logging.googleapis.com Cloud Logging API -monitoring.googleapis.com Cloud Monitoring API -oslogin.googleapis.com Cloud OS Login API -pubsub.googleapis.com Cloud Pub/Sub API -secretmanager.googleapis.com Secret Manager API -storage-api.googleapis.com Google Cloud Storage JSON API -storage-component.googleapis.com Cloud Storage +NAME TITLE +bigquery.googleapis.com BigQuery API +bigquerystorage.googleapis.com BigQuery Storage API +cloudbuild.googleapis.com Cloud Build API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +compute.googleapis.com Compute Engine API +container.googleapis.com Kubernetes Engine API +containeranalysis.googleapis.com Container Analysis API +containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API +iam.googleapis.com Identity and Access Management (IAM) API +iamcredentials.googleapis.com IAM Service Account Credentials API +logging.googleapis.com Cloud Logging API +monitoring.googleapis.com Cloud Monitoring API +oslogin.googleapis.com Cloud OS Login API +policytroubleshooter.googleapis.com Policy Troubleshooter API +pubsub.googleapis.com Cloud Pub/Sub API +secretmanager.googleapis.com Secret Manager API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/bucketpolicyonly.txt b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/bucketpolicyonly.txt new file mode 100644 index 00000000000..0823e465f61 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://artifacts.k8s-staging-experimental.appspot.com: + Enabled: True + LockedTime: 2021-04-29 15:44:34.938000+00:00 + diff --git a/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/cors.txt b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/cors.txt new file mode 100644 index 00000000000..f44f52f2691 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/cors.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-experimental.appspot.com/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/iam.json b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/iam.json new file mode 100644 index 00000000000..70d9ca21add --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-experimental", + "projectOwner:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/logging.txt b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/logging.txt new file mode 100644 index 00000000000..360ca174d1a --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/artifacts.k8s-staging-experimental.appspot.com/logging.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-experimental.appspot.com/ has no logging configuration. diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/bucketpolicyonly.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/bucketpolicyonly.txt new file mode 100644 index 00000000000..112a35ef5d8 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-experimental-gcb: + Enabled: True + LockedTime: 2021-04-29 15:45:08.539000+00:00 + diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/cors.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/cors.txt new file mode 100644 index 00000000000..ee824a8c8d9 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-experimental-gcb/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/iam.json b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/iam.json new file mode 100644 index 00000000000..54ec2c751d0 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/iam.json @@ -0,0 +1,46 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-experimental", + "projectOwner:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectCreator" + }, + { + "members": [ + "allUsers", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/logging.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/logging.txt new file mode 100644 index 00000000000..821041eca83 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental-gcb/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-experimental-gcb/ has no logging configuration. diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/bucketpolicyonly.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/bucketpolicyonly.txt new file mode 100644 index 00000000000..6b22fe7aa1a --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-experimental: + Enabled: True + LockedTime: 2021-04-29 15:44:52.440000+00:00 + diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/cors.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/cors.txt new file mode 100644 index 00000000000..12f503e3426 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-experimental/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/iam.json b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/iam.json new file mode 100644 index 00000000000..70d9ca21add --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-experimental", + "projectOwner:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-experimental" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/logging.txt b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/logging.txt new file mode 100644 index 00000000000..87069fc85cc --- /dev/null +++ b/audit/projects/k8s-staging-experimental/buckets/k8s-staging-experimental/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-experimental/ has no logging configuration. diff --git a/audit/projects/k8s-staging-experimental/description.json b/audit/projects/k8s-staging-experimental/description.json new file mode 100644 index 00000000000..f0f8a6f5bd2 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/description.json @@ -0,0 +1,11 @@ +{ + "createTime": "2021-01-29T15:04:48.922Z", + "lifecycleState": "ACTIVE", + "name": "k8s-staging-experimental", + "parent": { + "id": "758905017065", + "type": "organization" + }, + "projectId": "k8s-staging-experimental", + "projectNumber": "737067335481" +} diff --git a/audit/projects/k8s-staging-experimental/iam.json b/audit/projects/k8s-staging-experimental/iam.json new file mode 100644 index 00000000000..c1bc3819b87 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/iam.json @@ -0,0 +1,69 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:737067335481@cloudbuild.gserviceaccount.com", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.builds.builder" + }, + { + "members": [ + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/cloudbuild.builds.editor" + }, + { + "members": [ + "serviceAccount:service-737067335481@gcp-sa-cloudbuild.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-737067335481@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.occurrences.viewer" + }, + { + "members": [ + "serviceAccount:service-737067335481@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/containerregistry.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-737067335481@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/serviceusage.serviceUsageConsumer" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-release-viewers@kubernetes.io", + "group:k8s-infra-staging-experimental@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-staging-experimental/services/enabled.txt b/audit/projects/k8s-staging-experimental/services/enabled.txt new file mode 100644 index 00000000000..30cdd842f18 --- /dev/null +++ b/audit/projects/k8s-staging-experimental/services/enabled.txt @@ -0,0 +1,11 @@ +NAME TITLE +cloudbuild.googleapis.com Cloud Build API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +containeranalysis.googleapis.com Container Analysis API +containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API +logging.googleapis.com Cloud Logging API +pubsub.googleapis.com Cloud Pub/Sub API +secretmanager.googleapis.com Secret Manager API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/bucketpolicyonly.txt b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/bucketpolicyonly.txt new file mode 100644 index 00000000000..4f1f5de7691 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://artifacts.k8s-staging-provider-openstack.appspot.com: + Enabled: True + LockedTime: 2021-05-16 15:18:46.461000+00:00 + diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/cors.txt b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/cors.txt new file mode 100644 index 00000000000..d2fa17013e7 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/cors.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-provider-openstack.appspot.com/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/iam.json b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/iam.json new file mode 100644 index 00000000000..17dc1ed840d --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-provider-openstack", + "projectOwner:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/logging.txt b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/logging.txt new file mode 100644 index 00000000000..6aea68afab5 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/logging.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-provider-openstack.appspot.com/ has no logging configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/bucketpolicyonly.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/bucketpolicyonly.txt new file mode 100644 index 00000000000..18a63176a2a --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-provider-openstack-gcb: + Enabled: True + LockedTime: 2021-05-16 15:19:21.741000+00:00 + diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/cors.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/cors.txt new file mode 100644 index 00000000000..2bf2d5f5d5c --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-provider-openstack-gcb/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/iam.json b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/iam.json new file mode 100644 index 00000000000..f1a19dacfe7 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/iam.json @@ -0,0 +1,46 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-provider-openstack", + "projectOwner:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectCreator" + }, + { + "members": [ + "allUsers", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/logging.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/logging.txt new file mode 100644 index 00000000000..ae46bd630cc --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-provider-openstack-gcb/ has no logging configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/bucketpolicyonly.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/bucketpolicyonly.txt new file mode 100644 index 00000000000..79f0e2bb364 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-provider-openstack: + Enabled: True + LockedTime: 2021-05-16 15:19:04.941000+00:00 + diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/cors.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/cors.txt new file mode 100644 index 00000000000..df06efe18a9 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-provider-openstack/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/iam.json b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/iam.json new file mode 100644 index 00000000000..17dc1ed840d --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-provider-openstack", + "projectOwner:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-provider-openstack" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/logging.txt b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/logging.txt new file mode 100644 index 00000000000..648cab5ead5 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-provider-openstack/ has no logging configuration. diff --git a/audit/projects/k8s-staging-provider-openstack/description.json b/audit/projects/k8s-staging-provider-openstack/description.json new file mode 100644 index 00000000000..50b8b4bda8a --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/description.json @@ -0,0 +1,11 @@ +{ + "createTime": "2021-02-15T15:12:50.913Z", + "lifecycleState": "ACTIVE", + "name": "k8s-staging-provider-openstack", + "parent": { + "id": "758905017065", + "type": "organization" + }, + "projectId": "k8s-staging-provider-openstack", + "projectNumber": "625174557286" +} diff --git a/audit/projects/k8s-staging-provider-openstack/iam.json b/audit/projects/k8s-staging-provider-openstack/iam.json new file mode 100644 index 00000000000..cc5b48444ff --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/iam.json @@ -0,0 +1,68 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:625174557286@cloudbuild.gserviceaccount.com", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.builds.builder" + }, + { + "members": [ + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/cloudbuild.builds.editor" + }, + { + "members": [ + "serviceAccount:service-625174557286@gcp-sa-cloudbuild.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-625174557286@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.occurrences.viewer" + }, + { + "members": [ + "serviceAccount:service-625174557286@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/containerregistry.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-625174557286@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/serviceusage.serviceUsageConsumer" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-provider-openstack@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-staging-provider-openstack/services/enabled.txt b/audit/projects/k8s-staging-provider-openstack/services/enabled.txt new file mode 100644 index 00000000000..30cdd842f18 --- /dev/null +++ b/audit/projects/k8s-staging-provider-openstack/services/enabled.txt @@ -0,0 +1,11 @@ +NAME TITLE +cloudbuild.googleapis.com Cloud Build API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +containeranalysis.googleapis.com Container Analysis API +containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API +logging.googleapis.com Cloud Logging API +pubsub.googleapis.com Cloud Pub/Sub API +secretmanager.googleapis.com Secret Manager API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/bucketpolicyonly.txt b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/bucketpolicyonly.txt new file mode 100644 index 00000000000..f4205ea17ec --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://artifacts.k8s-staging-releng-test.appspot.com: + Enabled: True + LockedTime: 2021-04-29 15:47:14.246000+00:00 + diff --git a/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/cors.txt b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/cors.txt new file mode 100644 index 00000000000..df5e301bc89 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/cors.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-releng-test.appspot.com/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/iam.json b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/iam.json new file mode 100644 index 00000000000..5d177797007 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/iam.json @@ -0,0 +1,39 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-releng-test", + "projectOwner:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-releng-test@kubernetes.io", + "serviceAccount:gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-releng-test@kubernetes.io", + "serviceAccount:gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/logging.txt b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/logging.txt new file mode 100644 index 00000000000..439e0edf0ff --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/artifacts.k8s-staging-releng-test.appspot.com/logging.txt @@ -0,0 +1 @@ +gs://artifacts.k8s-staging-releng-test.appspot.com/ has no logging configuration. diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/bucketpolicyonly.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/bucketpolicyonly.txt new file mode 100644 index 00000000000..d1998391f0b --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-releng-test-gcb: + Enabled: True + LockedTime: 2021-04-29 15:47:48.938000+00:00 + diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/cors.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/cors.txt new file mode 100644 index 00000000000..867cc495654 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-releng-test-gcb/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/iam.json b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/iam.json new file mode 100644 index 00000000000..abf141328c8 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/iam.json @@ -0,0 +1,46 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-releng-test", + "projectOwner:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectCreator" + }, + { + "members": [ + "allUsers", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/logging.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/logging.txt new file mode 100644 index 00000000000..6e979dfcb92 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test-gcb/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-releng-test-gcb/ has no logging configuration. diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/bucketpolicyonly.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/bucketpolicyonly.txt new file mode 100644 index 00000000000..7cc32b3577a --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-staging-releng-test: + Enabled: True + LockedTime: 2021-04-29 15:47:30.439000+00:00 + diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/cors.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/cors.txt new file mode 100644 index 00000000000..de21fb66a12 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/cors.txt @@ -0,0 +1 @@ +gs://k8s-staging-releng-test/ has no CORS configuration. diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/iam.json b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/iam.json new file mode 100644 index 00000000000..452dd81e2d3 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/iam.json @@ -0,0 +1,37 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-releng-test", + "projectOwner:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-staging-releng-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ] +} diff --git a/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/logging.txt b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/logging.txt new file mode 100644 index 00000000000..fbd33c0d161 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/buckets/k8s-staging-releng-test/logging.txt @@ -0,0 +1 @@ +gs://k8s-staging-releng-test/ has no logging configuration. diff --git a/audit/projects/k8s-staging-releng-test/description.json b/audit/projects/k8s-staging-releng-test/description.json new file mode 100644 index 00000000000..c3a79c46c9a --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/description.json @@ -0,0 +1,11 @@ +{ + "createTime": "2021-01-29T15:02:49.545Z", + "lifecycleState": "ACTIVE", + "name": "k8s-staging-releng-test", + "parent": { + "id": "758905017065", + "type": "organization" + }, + "projectId": "k8s-staging-releng-test", + "projectNumber": "86929635859" +} diff --git a/audit/projects/k8s-staging-releng-test/iam.json b/audit/projects/k8s-staging-releng-test/iam.json new file mode 100644 index 00000000000..d44cf27a97a --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/iam.json @@ -0,0 +1,69 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:86929635859@cloudbuild.gserviceaccount.com", + "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com", + "serviceAccount:gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com", + "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.builds.builder" + }, + { + "members": [ + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/cloudbuild.builds.editor" + }, + { + "members": [ + "serviceAccount:service-86929635859@gcp-sa-cloudbuild.iam.gserviceaccount.com" + ], + "role": "roles/cloudbuild.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-86929635859@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.occurrences.viewer" + }, + { + "members": [ + "serviceAccount:service-86929635859@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/containerregistry.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-86929635859@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/serviceusage.serviceUsageConsumer" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-releng-test@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/description.json b/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/description.json new file mode 100644 index 00000000000..a61fdcaf03d --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "displayName": "used by k8s-infra-prow-build to trigger GCB, write to GCR for k8s-staging-releng-test", + "email": "gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com", + "name": "projects/k8s-staging-releng-test/serviceAccounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com", + "oauth2ClientId": "106077646816281830376", + "projectId": "k8s-staging-releng-test", + "uniqueId": "106077646816281830376" +} diff --git a/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/iam.json new file mode 100644 index 00000000000..726638d4d86 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/service-accounts/gcb-builder-releng-test@k8s-staging-releng-test.iam.gserviceaccount.com/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:k8s-infra-prow-build.svc.id.goog[test-pods/gcb-builder-releng-test]" + ], + "role": "roles/iam.workloadIdentityUser" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-staging-releng-test/services/enabled.txt b/audit/projects/k8s-staging-releng-test/services/enabled.txt new file mode 100644 index 00000000000..30cdd842f18 --- /dev/null +++ b/audit/projects/k8s-staging-releng-test/services/enabled.txt @@ -0,0 +1,11 @@ +NAME TITLE +cloudbuild.googleapis.com Cloud Build API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +containeranalysis.googleapis.com Container Analysis API +containerregistry.googleapis.com Container Registry API +containerscanning.googleapis.com Container Scanning API +logging.googleapis.com Cloud Logging API +pubsub.googleapis.com Cloud Pub/Sub API +secretmanager.googleapis.com Secret Manager API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/k8s-staging-sig-storage/services/compute/project-info.json b/audit/projects/k8s-staging-sig-storage/services/compute/project-info.json index 531ebce636e..5e59473b59e 100644 --- a/audit/projects/k8s-staging-sig-storage/services/compute/project-info.json +++ b/audit/projects/k8s-staging-sig-storage/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS"