Skip to content

partial-audit: k8s-infra-* update as of 2021-02-24 #1717

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 1 commit into from
Mar 1, 2021
Merged

partial-audit: k8s-infra-* update as of 2021-02-24 #1717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions audit/projects/k8s-infra-e2e-gce-project/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"serviceAccount:service-302382158096@containerregistry.iam.gserviceaccount.com"
],
"role": "roles/containerregistry.ServiceAgent"
},
{
"members": [
"serviceAccount:302382158096-compute@developer.gserviceaccount.com",
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-e2e-gce-project/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@
"limit": 200,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 150,
"metric": "PACKET_MIRRORINGS"
Expand Down
3 changes: 3 additions & 0 deletions audit/projects/k8s-infra-e2e-gce-project/services/enabled.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
NAME TITLE
compute.googleapis.com Compute Engine API
containerregistry.googleapis.com Container Registry API
logging.googleapis.com Cloud Logging API
monitoring.googleapis.com Cloud Monitoring API
oslogin.googleapis.com Cloud OS Login API
pubsub.googleapis.com Cloud Pub/Sub API
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Cloud Storage
3 changes: 3 additions & 0 deletions ...ects/k8s-infra-e2e-gpu-project/buckets/kubernetes-staging-cfeccb2cc5/bucketpolicyonly.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Bucket Policy Only setting for gs://kubernetes-staging-cfeccb2cc5:
Enabled: False

1 change: 1 addition & 0 deletions audit/projects/k8s-infra-e2e-gpu-project/buckets/kubernetes-staging-cfeccb2cc5/cors.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://kubernetes-staging-cfeccb2cc5/ has no CORS configuration.
6 changes: 3 additions & 3 deletions ...ts/kubernetes-staging-8cf5cbdf30/iam.json → ...ts/kubernetes-staging-cfeccb2cc5/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
"bindings": [
{
"members": [
"projectEditor:k8s-infra-e2e-scale-project",
"projectOwner:k8s-infra-e2e-scale-project"
"projectEditor:k8s-infra-e2e-gpu-project",
Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does git see this as a move?

"projectOwner:k8s-infra-e2e-gpu-project"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:k8s-infra-e2e-scale-project"
"projectViewer:k8s-infra-e2e-gpu-project"
],
"role": "roles/storage.legacyBucketReader"
}
Expand Down
1 change: 1 addition & 0 deletions audit/projects/k8s-infra-e2e-gpu-project/buckets/kubernetes-staging-cfeccb2cc5/logging.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://kubernetes-staging-cfeccb2cc5/ has no logging configuration.
6 changes: 6 additions & 0 deletions audit/projects/k8s-infra-e2e-gpu-project/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"serviceAccount:service-438213416405@containerregistry.iam.gserviceaccount.com"
],
"role": "roles/containerregistry.ServiceAgent"
},
{
"members": [
"serviceAccount:438213416405-compute@developer.gserviceaccount.com",
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-e2e-gpu-project/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@
"limit": 100,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 45,
"metric": "PACKET_MIRRORINGS"
Expand Down
3 changes: 3 additions & 0 deletions audit/projects/k8s-infra-e2e-gpu-project/services/enabled.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
NAME TITLE
compute.googleapis.com Compute Engine API
containerregistry.googleapis.com Container Registry API
logging.googleapis.com Cloud Logging API
monitoring.googleapis.com Cloud Monitoring API
oslogin.googleapis.com Cloud OS Login API
pubsub.googleapis.com Cloud Pub/Sub API
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Cloud Storage
3 changes: 3 additions & 0 deletions ...infra-e2e-ingress-project/buckets/kubernetes-staging-39e765ac61-asia/bucketpolicyonly.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Bucket Policy Only setting for gs://kubernetes-staging-39e765ac61-asia:
Enabled: False

1 change: 1 addition & 0 deletions ...rojects/k8s-infra-e2e-ingress-project/buckets/kubernetes-staging-39e765ac61-asia/cors.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://kubernetes-staging-39e765ac61-asia/ has no CORS configuration.
17 changes: 17 additions & 0 deletions ...rojects/k8s-infra-e2e-ingress-project/buckets/kubernetes-staging-39e765ac61-asia/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"bindings": [
{
"members": [
"projectEditor:k8s-infra-e2e-ingress-project",
"projectOwner:k8s-infra-e2e-ingress-project"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:k8s-infra-e2e-ingress-project"
],
"role": "roles/storage.legacyBucketReader"
}
]
}
1 change: 1 addition & 0 deletions ...ects/k8s-infra-e2e-ingress-project/buckets/kubernetes-staging-39e765ac61-asia/logging.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://kubernetes-staging-39e765ac61-asia/ has no logging configuration.
6 changes: 6 additions & 0 deletions audit/projects/k8s-infra-e2e-ingress-project/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"serviceAccount:service-741153779759@containerregistry.iam.gserviceaccount.com"
],
"role": "roles/containerregistry.ServiceAgent"
},
{
"members": [
"serviceAccount:741153779759-compute@developer.gserviceaccount.com",
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-e2e-ingress-project/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@
"limit": 200,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 150,
"metric": "PACKET_MIRRORINGS"
Expand Down
3 changes: 3 additions & 0 deletions audit/projects/k8s-infra-e2e-ingress-project/services/enabled.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
NAME TITLE
compute.googleapis.com Compute Engine API
containerregistry.googleapis.com Container Registry API
logging.googleapis.com Cloud Logging API
monitoring.googleapis.com Cloud Monitoring API
oslogin.googleapis.com Cloud OS Login API
pubsub.googleapis.com Cloud Pub/Sub API
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Cloud Storage
6 changes: 6 additions & 0 deletions audit/projects/k8s-infra-e2e-node-e2e-project/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@
],
"role": "roles/compute.serviceAgent"
},
{
"members": [
"serviceAccount:service-855765450555@containerregistry.iam.gserviceaccount.com"
],
"role": "roles/containerregistry.ServiceAgent"
},
{
"members": [
"serviceAccount:855765450555-compute@developer.gserviceaccount.com",
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-e2e-node-e2e-project/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@
"limit": 200,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 150,
"metric": "PACKET_MIRRORINGS"
Expand Down
3 changes: 3 additions & 0 deletions audit/projects/k8s-infra-e2e-node-e2e-project/services/enabled.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
NAME TITLE
compute.googleapis.com Compute Engine API
containerregistry.googleapis.com Container Registry API
logging.googleapis.com Cloud Logging API
monitoring.googleapis.com Cloud Monitoring API
oslogin.googleapis.com Cloud OS Login API
pubsub.googleapis.com Cloud Pub/Sub API
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Cloud Storage
3 changes: 0 additions & 3 deletions ...ts/k8s-infra-e2e-scale-project/buckets/kubernetes-staging-8cf5cbdf30/bucketpolicyonly.txt
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion audit/projects/k8s-infra-e2e-scale-project/buckets/kubernetes-staging-8cf5cbdf30/cors.txt
View file
Open in desktop

This file was deleted.

1 change: 0 additions & 1 deletion audit/projects/k8s-infra-e2e-scale-project/buckets/kubernetes-staging-8cf5cbdf30/logging.txt
View file
Open in desktop

This file was deleted.

4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-e2e-scale-project/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@
"limit": 100,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 45,
"metric": "PACKET_MIRRORINGS"
Expand Down
10 changes: 10 additions & 0 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"createTime": "2021-02-11T04:21:30.200768Z",
"labels": {
"sig": "testing"
},
Comment on lines +3 to +5
Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to self for followup: need to decide on a convention for labeling secrets

I've been labeling other secrets in kubernetes-public with e.g. labels.app=slack-infra

I had considered group=sig-testing but feel like sig=testing lines up with "only sigs can own code"

"name": "projects/180382678033/secrets/cncf-ci-github-token",
"replication": {
"automatic": {}
}
}
12 changes: 12 additions & 0 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"bindings": [
{
"members": [
"group:k8s-infra-prow-oncall@kubernetes.io",
"user:hh@ii.coop"
Comment on lines +5 to +6
Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we plan on keeping this secret around, my preference would be to replace the user: with a group

longer term we should have audit use a k8s-owned account

],
"role": "roles/secretmanager.admin"
}
],
"version": 1
}
10 changes: 10 additions & 0 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/versions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[
{
"createTime": "2021-02-11T20:01:09.472963Z",
"name": "projects/180382678033/secrets/cncf-ci-github-token/versions/1",
"replicationStatus": {
"automatic": {}
},
"state": "ENABLED"
}
]
10 changes: 0 additions & 10 deletions ...ojects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_ca-pem/description.json
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_ca-pem/iam.json
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions .../projects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_ca-pem/versions.json
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions ...ects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_cert-pem/description.json
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_cert-pem/iam.json
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions ...rojects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_cert-pem/versions.json
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions ...jects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_key-pem/description.json
View file
Open in desktop

This file was deleted.

11 changes: 0 additions & 11 deletions audit/projects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_key-pem/iam.json
View file
Open in desktop

This file was deleted.

10 changes: 0 additions & 10 deletions ...projects/k8s-infra-prow-build-trusted/secrets/windows-remote-docker_key-pem/versions.json
View file
Open in desktop

This file was deleted.

4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-prow-build-trusted/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,10 @@
"limit": 200,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 150,
"metric": "PACKET_MIRRORINGS"
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/k8s-infra-prow-build/services/compute/project-info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@
"limit": 100,
"metric": "SECURITY_POLICY_RULES"
},
{
"limit": 1000,
"metric": "XPN_SERVICE_PROJECTS"
},
{
"limit": 45,
"metric": "PACKET_MIRRORINGS"
Expand Down
2 changes: 1 addition & 1 deletion audit/projects/k8s-infra-prow-build/services/container/clusters.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
prow-build us-central1 us-central1-c;us-central1-f;us-central1-b 67 RUNNING
prow-build us-central1 us-central1-c;us-central1-f;us-central1-b 72 RUNNING
Copy link
Copy Markdown
Contributor

@spiffxp spiffxp Feb 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we should have audit dump a format that is less noisy for clusters, given that this cluster auto-scales