diff --git a/hack/verify-yamllint.sh b/hack/verify-yamllint.sh index ccf3300dfc2..b6230b4c034 100755 --- a/hack/verify-yamllint.sh +++ b/hack/verify-yamllint.sh @@ -18,9 +18,10 @@ set -o nounset set -o pipefail SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd )" pip=pip3 -pip_requirements="${SCRIPT_DIR}/requirements.txt" +pip_requirements="${REPO_ROOT}/requirements.txt" yamllint_config="${SCRIPT_DIR}/.yamllint.conf" yamllint_version=$(<"${pip_requirements}" grep yamllint | sed -e 's/.*==//') @@ -35,17 +36,16 @@ if [ $# != 0 ]; then exit 1 fi -if ! which yamllint >/dev/null 2>&1; then - echo >&2 "ERROR: yamllint not found - please install with: ${pip} install -r ${pip_requirements}" +if ! command -v yamllint >/dev/null 2>&1; then + echo >/dev/stderr "ERROR: yamllint not found - please install with: ${pip} install -r ${pip_requirements}" exit 1 fi version=$(yamllint --version | awk '{ print $2 }') if [[ "${version}" != "${yamllint_version}" ]]; then - echo >&2 "ERROR: incorrect yamllint version '${version}' - please install with: ${pip} install ${pip_requirements}" + echo >/dev/stderr "ERROR: incorrect yamllint version '${version}' - please install with: ${pip} install ${pip_requirements}" exit 1 fi -cd ${SCRIPT_DIR}/.. - +cd "${REPO_ROOT}" yamllint -c "${yamllint_config}" . diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh index 64b3f3d5aed..2f628ce3dd6 100755 --- a/infra/gcp/ensure-organization.sh +++ b/infra/gcp/ensure-organization.sh @@ -34,13 +34,21 @@ if [ $# != 0 ]; then exit 1 fi -# TODO: setup custom role StorageBucketLister, I don't see that defined in code -# TODO: setup custom role CustomRole ("Billing Viewer"), I don't see that defined in code +org_roles=( + prow.viewer + audit.viewer + secretmanager.secretLister + organization.admin + CustomRole + StorageBucketLister +) -## setup custom role for prow troubleshooting -color 6 "Ensuring custom org role prow.viewer role exists" +color 6 "Ensuring organization custom roles exist" ( - ensure_custom_iam_role_from_file "org" "prow.viewer" "${SCRIPT_DIR}/roles/prow.viewer.yaml" + for role in "${org_roles[@]}"; do + color 6 "Ensuring organization custom role ${role}" + ensure_custom_iam_role_from_file "org" "${role}" "${SCRIPT_DIR}/roles/${role}.yaml" + done ) 2>&1 | indent color 6 "Ensuring org-level IAM bindings exist" @@ -53,27 +61,46 @@ color 6 "Ensuring org-level IAM bindings exist" ensure_org_role_binding "group:gke-security-groups@kubernetes.io" "roles/browser" # k8s-infra-gcp-accounting@ - # TODO: CustomRole is a brittle name, we should create a better named role, - # or is there a reason we're not using predefined roles/billing.viewer? ensure_org_role_binding "group:k8s-infra-gcp-accounting@kubernetes.io" "$(custom_org_role_name "CustomRole")" # k8s-infra-gcp-auditors@ - # TODO: this is what already exists, but it might be better to collapse this - # into a custom role, or use browser+viewer - audit_roles=( - $(custom_org_role_name "StorageBucketLister") + ensure_org_role_binding "group:k8s-infra-gcp-auditors@kubernetes.io" "$(custom_org_role_name "audit.viewer")" + # TODO(https://github.com/kubernetes/k8s.io/issues/1659): obviated by audit.viewer, remove when bindings gone + old_audit_roles=( + "$(custom_org_role_name "StorageBucketLister")" roles/compute.viewer roles/dns.reader roles/iam.securityReviewer roles/resourcemanager.organizationViewer roles/serviceusage.serviceUsageConsumer ) - for role in "${audit_roles[@]}"; do - ensure_org_role_binding "group:k8s-infra-gcp-auditors@kubernetes.io" "${role}" + for role in "${old_audit_roles[@]}"; do + ensure_removed_org_role_binding "group:k8s-infra-gcp-auditors@kubernetes.io" "${role}" done + echo "exiting early to confirm audit.viewer role migration has worked" + exit 0 + # k8s-infra-org-admins@ - # TODO: there are more granular roles also bound, they seem redundant given - # this role + # roles/owner has too many permissions to aggregate into a custom role, + # and some services (e.g. storage) add bindings based on membership in it ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "roles/owner" + # everything org admins need beyond roles/owner to manage the org + ensure_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "$(custom_org_role_name "organization.admin")" + # TODO(https://github.com/kubernetes/k8s.io/issues/1659): obviated by organization.admin, remove when bindings gone + old_org_admin_roles=( + roles/billing.user + roles/iam.organizationRoleAdmin + roles/resourcemanager.organizationAdmin + roles/resourcemanager.projectCreator + roles/resourcemanager.projectDeleter + roles/servicemanagement.quotaAdmin + ) + for role in "${old_audit_roles[@]}"; do + # TODO(spiffxp): remove the extra super duper paranoia once we verify + # I haven't locked myself out via group membership + ensure_org_role_binding "user:thockin@google.com" "${role}" + ensure_org_role_binding "user:davanum@gmail.com" "${role}" + ensure_removed_org_role_binding "group:k8s-infra-gcp-org-admins@kubernetes.io" "${role}" + done ) 2>&1 | indent diff --git a/infra/gcp/lib_iam.sh b/infra/gcp/lib_iam.sh old mode 100644 new mode 100755 index bf9c1ff5566..5e2c72d48df --- a/infra/gcp/lib_iam.sh +++ b/infra/gcp/lib_iam.sh @@ -76,26 +76,39 @@ function ensure_custom_iam_role_from_file() { local scope="${1}" local name="${2}" local file="${3}" + local full_name="${name}" scope_flag="" if [[ "${scope}" == "org" ]]; then scope_flag="--organization ${GCP_ORG}" + full_name="organizations/${GCP_ORG}/roles/${name}" elif [[ "${scope}" =~ "^project:" ]]; then - scope_flag="--project $(echo ${scope} | cut -d: -f2-)" + project=$(echo "${scope}" | cut -d: -f2-) + scope_flag="--project ${project}" + full_name="projects/${project}/roles/${name}" else echo "ensure_custom_iam_role_from_file(scope, name, file) scope must be one of 'org' or 'project:project-id'" >&2 return 1 fi - if ! gcloud iam roles describe ${scope_flag} "${name}" \ - >/dev/null 2>&1 - then - # be noisy when creating a role - gcloud iam roles create ${scope_flag} "${name}" --file "${file}" - else - # be quiet when updating, only output name of role - gcloud iam roles update ${scope_flag} "${name}" --file "${file}" | grep ^name: + tmp_dir=$(mktemp -d "/tmp/ensure-role-${name}-XXXXX") + trap 'rm -rf "${tmp_dir}"' EXIT + before="${tmp_dir}/before.${role}.yaml" + ready="${tmp_dir}/ready.${role}.yaml" + after="${tmp_dir}/after.${role}.yaml" + + # detect if we should create or update and dump role; silently ignore error + verb="update" + if ! (gcloud iam roles describe ${scope_flag} "${name}" >"${before}") >/dev/null 2>&1; then + verb="create" fi + + # name is foo.bar, but gcloud wants scope/id/role/foo.bar in the file + <"${file}" sed -e "s|^name: ${name}|name: ${full_name}|" >"${ready}" + gcloud iam roles "${verb}" ${scope_flag} "${name}" --file "${ready}" > "${after}" + + # if they differ, ignore the error + diff "${before}" "${after}" || true } # Return the full name of a custom IAM role defined at the org level @@ -153,7 +166,7 @@ function ensure_project_role_binding() { --role "${role}" } -# Ensure that IAM binding has been removed at project level +# Ensure that IAM binding has been removed from project # Arguments: # $1: The project id (e.g. "k8s-infra-foo") # $2: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") @@ -163,6 +176,7 @@ function ensure_removed_project_role_binding() { echo "ensure_removed_project_role_binding(project, principal, role) requires 3 arguments" >&2 return 1 fi + local project="${1}" local principal="${2}" local role="${3}" @@ -170,6 +184,23 @@ function ensure_removed_project_role_binding() { _ensure_removed_resource_role_binding "projects" "${project}" "${principal}" "${role}" } +# Ensure that IAM binding has been removed from organization +# Arguments: +# $1: The principal (e.g. "group:k8s-infra-foo@kubernetes.io") +# $2: The role name (e.g. "roles/foo.bar") +function ensure_removed_org_role_binding() { + if [ ! $# -eq 2 -o -z "$1" -o -z "$2" ]; then + echo "ensure_removed_org_role_binding(principal, role) requires 2 arguments" >&2 + return 1 + fi + + local organization="${GCP_ORG}" + local principal="${1}" + local role="${2}" + + _ensure_removed_resource_role_binding "organizations" "${organization}" "${principal}" "${role}" +} + # Ensure that IAM binding has been removed at resource level # Arguments: # $1: The resource type (e.g. "projects", "organizations", "secrets" ) diff --git a/infra/gcp/roles/CustomRole.yaml b/infra/gcp/roles/CustomRole.yaml new file mode 100644 index 00000000000..57396ca2e16 --- /dev/null +++ b/infra/gcp/roles/CustomRole.yaml @@ -0,0 +1,48 @@ +#### generated by generate-role-yaml.sh from the following spec: +# +# # This was retroactively put together to match a role that is already in +# # production. It's not entirely clear why it was built this way, for example +# # why all of the permission exclusions from roles/billing.viewer +# # +# # TODO: CustomRole is a brittle name, we should migrate to a better named role +# title: Billing Viewer +# description: View access to billing info +# name: CustomRole +# include: +# roles: +# - roles/billing.viewer +# - roles/browser +# permissions: +# # not sure what role this permission comes from +# - billing.resourceCosts.get +# exclude: +# permissionRegexes: +# # unclear why the exclusion of billing.account.* except getSpendingInformation +# - ^billing.accounts.get$ +# - ^billing.accounts.getPaymentInfo +# - ^billing.accounts.getUsageExportSpec +# - ^billing.accounts.list +# # unclear if these were intentionally excluded +# - ^consumerprocurement. +# - ^dataprocessing. +# - ^recommender. +# # we may want to allow these two for org hierarchy navigation +# - ^resourcemanager.folders. +# - ^resourcemanager.organizations. +# - getIamPolicy$ +# +description: View access to billing info +includedPermissions: + - billing.accounts.getSpendingInformation + - billing.budgets.get + - billing.budgets.list + - billing.credits.list + - billing.resourceAssociations.list + - billing.resourceCosts.get + - billing.subscriptions.get + - billing.subscriptions.list + - resourcemanager.projects.get + - resourcemanager.projects.list +name: CustomRole +stage: GA +title: Billing Viewer diff --git a/infra/gcp/roles/StorageBucketLister.yaml b/infra/gcp/roles/StorageBucketLister.yaml new file mode 100644 index 00000000000..a4011f70983 --- /dev/null +++ b/infra/gcp/roles/StorageBucketLister.yaml @@ -0,0 +1,26 @@ +#### generated by generate-role-yaml.sh from the following spec: +# +# # allow listing of buckets +# # TODO(https://github.com/kubernetes/k8s.io/issues/1659): remove once auditor.viewer is used instead +# title: Storage Bucket Lister +# description: Can list storage buckets +# name: StorageBucketLister +# include: +# roles: +# - roles/storage.admin +# permissionRegexes: +# - ^storage.buckets. +# exclude: +# permissionRegexes: +# - create$ +# - update$ +# - delete$ +# - IamPolicy$ +# +description: Can list storage buckets +includedPermissions: + - storage.buckets.get + - storage.buckets.list +name: StorageBucketLister +stage: GA +title: Storage Bucket Lister diff --git a/infra/gcp/roles/audit.viewer.yaml b/infra/gcp/roles/audit.viewer.yaml new file mode 100644 index 00000000000..1c65f1e93f9 --- /dev/null +++ b/infra/gcp/roles/audit.viewer.yaml @@ -0,0 +1,911 @@ +#### generated by generate-role-yaml.sh from the following spec: +# +# # an aggregate of different service roles to allow auditing of all resources +# # in the organization hierarchy using GCP console or gcloud commands +# title: Audit Viewer +# description: View access to resources +# name: audit.viewer +# include: +# roles: +# - roles/compute.viewer +# - roles/dns.reader +# - roles/iam.securityReviewer +# - roles/resourcemanager.organizationViewer +# - roles/serviceusage.serviceUsageConsumer +# permissions: +# - storage.buckets.get +# - storage.buckets.getIamPolicy +# - storage.buckets.list +# exclude: +# permissionRegexes: +# # permissions with custom roles support level NOT_SUPPORTED +# # ref: https://cloud.google.com/iam/docs/custom-roles-permissions-support +# - ^cloudonefs. +# - ^gcp.redisenterprise. +# - ^datastore. +# - ^domains.registrations. +# - ^gkehub. +# - ^servicemanagement.consumerSettings +# +description: View access to resources +includedPermissions: + - accessapproval.requests.list + - accesscontextmanager.accessLevels.list + - accesscontextmanager.accessPolicies.getIamPolicy + - accesscontextmanager.accessPolicies.list + - accesscontextmanager.accessZones.list + - accesscontextmanager.gcpUserAccessBindings.list + - accesscontextmanager.policies.getIamPolicy + - accesscontextmanager.policies.list + - accesscontextmanager.servicePerimeters.list + - actions.agentVersions.list + - aiplatform.annotationSpecs.list + - aiplatform.annotations.list + - aiplatform.batchPredictionJobs.list + - aiplatform.customJobs.list + - aiplatform.dataItems.list + - aiplatform.dataLabelingJobs.list + - aiplatform.datasets.list + - aiplatform.endpoints.list + - aiplatform.hyperparameterTuningJobs.list + - aiplatform.locations.list + - aiplatform.modelEvaluationSlices.list + - aiplatform.modelEvaluations.list + - aiplatform.models.list + - aiplatform.operations.list + - aiplatform.specialistPools.list + - aiplatform.studies.list + - aiplatform.trainingPipelines.list + - aiplatform.trials.list + - apigateway.apiconfigs.getIamPolicy + - apigateway.apiconfigs.list + - apigateway.apis.getIamPolicy + - apigateway.apis.list + - apigateway.gateways.getIamPolicy + - apigateway.gateways.list + - apigateway.locations.list + - apigateway.operations.list + - apigee.apiproductattributes.list + - apigee.apiproducts.list + - apigee.apps.list + - apigee.caches.list + - apigee.datacollectors.list + - apigee.datastores.list + - apigee.deployments.list + - apigee.developerappattributes.list + - apigee.developerapps.list + - apigee.developerattributes.list + - apigee.developers.list + - apigee.envgroupattachments.list + - apigee.envgroups.list + - apigee.environments.getIamPolicy + - apigee.environments.list + - apigee.exports.list + - apigee.flowhooks.list + - apigee.hostqueries.list + - apigee.instanceattachments.list + - apigee.instances.list + - apigee.keystorealiases.list + - apigee.keystores.list + - apigee.keyvaluemaps.list + - apigee.operations.list + - apigee.organizations.list + - apigee.portals.list + - apigee.proxies.list + - apigee.proxyrevisions.list + - apigee.queries.list + - apigee.references.list + - apigee.reports.list + - apigee.resourcefiles.list + - apigee.sharedflowrevisions.list + - apigee.sharedflows.list + - apigee.targetservers.list + - apigee.tracesessions.list + - apigeeconnect.connections.list + - apikeys.keys.list + - appengine.instances.list + - appengine.memcache.list + - appengine.operations.list + - appengine.services.list + - appengine.versions.list + - artifactregistry.files.list + - artifactregistry.packages.list + - artifactregistry.repositories.getIamPolicy + - artifactregistry.repositories.list + - artifactregistry.tags.list + - artifactregistry.versions.list + - assuredworkloads.operations.list + - assuredworkloads.workload.list + - automl.annotationSpecs.list + - automl.annotations.list + - automl.columnSpecs.list + - automl.datasets.getIamPolicy + - automl.datasets.list + - automl.examples.list + - automl.humanAnnotationTasks.list + - automl.locations.getIamPolicy + - automl.locations.list + - automl.modelEvaluations.list + - automl.models.getIamPolicy + - automl.models.list + - automl.operations.list + - automl.tableSpecs.list + - automlrecommendations.apiKeys.list + - automlrecommendations.catalogItems.list + - automlrecommendations.catalogs.list + - automlrecommendations.events.list + - automlrecommendations.placements.list + - automlrecommendations.recommendations.list + - autoscaling.sites.getIamPolicy + - bigquery.capacityCommitments.list + - bigquery.connections.getIamPolicy + - bigquery.connections.list + - bigquery.datasets.getIamPolicy + - bigquery.jobs.list + - bigquery.models.list + - bigquery.reservationAssignments.list + - bigquery.reservations.list + - bigquery.routines.list + - bigquery.savedqueries.list + - bigquery.tables.getIamPolicy + - bigquery.tables.list + - bigtable.appProfiles.list + - bigtable.backups.getIamPolicy + - bigtable.backups.list + - bigtable.clusters.list + - bigtable.instances.getIamPolicy + - bigtable.instances.list + - bigtable.keyvisualizer.list + - bigtable.locations.list + - bigtable.tables.getIamPolicy + - bigtable.tables.list + - billing.accounts.getIamPolicy + - billing.accounts.list + - billing.budgets.list + - billing.credits.list + - billing.resourceAssociations.list + - billing.subscriptions.list + - binaryauthorization.attestors.getIamPolicy + - binaryauthorization.attestors.list + - binaryauthorization.continuousValidationConfig.getIamPolicy + - binaryauthorization.policy.getIamPolicy + - clientauthconfig.brands.list + - clientauthconfig.clients.list + - cloudasset.feeds.list + - cloudbuild.builds.list + - clouddebugger.breakpoints.list + - clouddebugger.debuggees.list + - cloudfunctions.functions.getIamPolicy + - cloudfunctions.functions.list + - cloudfunctions.locations.list + - cloudfunctions.operations.list + - cloudiot.devices.list + - cloudiot.registries.getIamPolicy + - cloudiot.registries.list + - cloudjobdiscovery.companies.list + - cloudkms.cryptoKeyVersions.list + - cloudkms.cryptoKeys.getIamPolicy + - cloudkms.cryptoKeys.list + - cloudkms.importJobs.getIamPolicy + - cloudkms.importJobs.list + - cloudkms.keyRings.getIamPolicy + - cloudkms.keyRings.list + - cloudnotifications.activities.list + - cloudprivatecatalogproducer.associations.list + - cloudprivatecatalogproducer.catalogAssociations.list + - cloudprivatecatalogproducer.catalogs.getIamPolicy + - cloudprivatecatalogproducer.catalogs.list + - cloudprivatecatalogproducer.producerCatalogs.getIamPolicy + - cloudprivatecatalogproducer.producerCatalogs.list + - cloudprivatecatalogproducer.products.getIamPolicy + - cloudprivatecatalogproducer.products.list + - cloudprofiler.profiles.list + - cloudscheduler.jobs.list + - cloudscheduler.locations.list + - cloudsecurityscanner.crawledurls.list + - cloudsecurityscanner.results.list + - cloudsecurityscanner.scanruns.list + - cloudsecurityscanner.scans.list + - cloudsql.backupRuns.list + - cloudsql.databases.list + - cloudsql.instances.list + - cloudsql.sslCerts.list + - cloudsql.users.list + - cloudsupport.accounts.getIamPolicy + - cloudsupport.accounts.list + - cloudsupport.techCases.list + - cloudtasks.locations.list + - cloudtasks.queues.getIamPolicy + - cloudtasks.queues.list + - cloudtasks.tasks.list + - cloudtoolresults.executions.list + - cloudtoolresults.histories.list + - cloudtoolresults.steps.list + - cloudtrace.insights.list + - cloudtrace.tasks.list + - cloudtrace.traces.list + - cloudtranslate.glossaries.list + - cloudtranslate.locations.list + - cloudtranslate.operations.list + - cloudvolumesgcp-api.netapp.com/activeDirectories.list + - cloudvolumesgcp-api.netapp.com/ipRanges.list + - cloudvolumesgcp-api.netapp.com/jobs.list + - cloudvolumesgcp-api.netapp.com/regions.list + - cloudvolumesgcp-api.netapp.com/serviceLevels.list + - cloudvolumesgcp-api.netapp.com/snapshots.list + - cloudvolumesgcp-api.netapp.com/volumes.list + - composer.environments.list + - composer.imageversions.list + - composer.operations.list + - compute.acceleratorTypes.get + - compute.acceleratorTypes.list + - compute.addresses.get + - compute.addresses.list + - compute.autoscalers.get + - compute.autoscalers.list + - compute.backendBuckets.get + - compute.backendBuckets.list + - compute.backendServices.get + - compute.backendServices.list + - compute.commitments.get + - compute.commitments.list + - compute.diskTypes.get + - compute.diskTypes.list + - compute.disks.get + - compute.disks.getIamPolicy + - compute.disks.list + - compute.externalVpnGateways.get + - compute.externalVpnGateways.list + - compute.firewallPolicies.get + - compute.firewallPolicies.getIamPolicy + - compute.firewallPolicies.list + - compute.firewalls.get + - compute.firewalls.list + - compute.forwardingRules.get + - compute.forwardingRules.list + - compute.globalAddresses.get + - compute.globalAddresses.list + - compute.globalForwardingRules.get + - compute.globalForwardingRules.list + - compute.globalForwardingRules.pscGet + - compute.globalNetworkEndpointGroups.get + - compute.globalNetworkEndpointGroups.list + - compute.globalOperations.get + - compute.globalOperations.getIamPolicy + - compute.globalOperations.list + - compute.globalPublicDelegatedPrefixes.get + - compute.globalPublicDelegatedPrefixes.list + - compute.healthChecks.get + - compute.healthChecks.list + - compute.httpHealthChecks.get + - compute.httpHealthChecks.list + - compute.httpsHealthChecks.get + - compute.httpsHealthChecks.list + - compute.images.get + - compute.images.getFromFamily + - compute.images.getIamPolicy + - compute.images.list + - compute.instanceGroupManagers.get + - compute.instanceGroupManagers.list + - compute.instanceGroups.get + - compute.instanceGroups.list + - compute.instanceTemplates.get + - compute.instanceTemplates.getIamPolicy + - compute.instanceTemplates.list + - compute.instances.get + - compute.instances.getEffectiveFirewalls + - compute.instances.getGuestAttributes + - compute.instances.getIamPolicy + - compute.instances.getScreenshot + - compute.instances.getSerialPortOutput + - compute.instances.getShieldedInstanceIdentity + - compute.instances.getShieldedVmIdentity + - compute.instances.list + - compute.instances.listReferrers + - compute.interconnectAttachments.get + - compute.interconnectAttachments.list + - compute.interconnectLocations.get + - compute.interconnectLocations.list + - compute.interconnects.get + - compute.interconnects.list + - compute.licenseCodes.get + - compute.licenseCodes.getIamPolicy + - compute.licenseCodes.list + - compute.licenses.get + - compute.licenses.getIamPolicy + - compute.licenses.list + - compute.machineImages.get + - compute.machineImages.getIamPolicy + - compute.machineImages.list + - compute.machineTypes.get + - compute.machineTypes.list + - compute.maintenancePolicies.get + - compute.maintenancePolicies.getIamPolicy + - compute.maintenancePolicies.list + - compute.networkEndpointGroups.get + - compute.networkEndpointGroups.getIamPolicy + - compute.networkEndpointGroups.list + - compute.networks.get + - compute.networks.getEffectiveFirewalls + - compute.networks.list + - compute.networks.listPeeringRoutes + - compute.nodeGroups.get + - compute.nodeGroups.getIamPolicy + - compute.nodeGroups.list + - compute.nodeTemplates.get + - compute.nodeTemplates.getIamPolicy + - compute.nodeTemplates.list + - compute.nodeTypes.get + - compute.nodeTypes.list + - compute.organizations.listAssociations + - compute.projects.get + - compute.publicAdvertisedPrefixes.get + - compute.publicAdvertisedPrefixes.list + - compute.publicDelegatedPrefixes.get + - compute.publicDelegatedPrefixes.list + - compute.regionBackendServices.get + - compute.regionBackendServices.list + - compute.regionHealthCheckServices.get + - compute.regionHealthCheckServices.list + - compute.regionHealthChecks.get + - compute.regionHealthChecks.list + - compute.regionNetworkEndpointGroups.get + - compute.regionNetworkEndpointGroups.list + - compute.regionNotificationEndpoints.get + - compute.regionNotificationEndpoints.list + - compute.regionOperations.get + - compute.regionOperations.getIamPolicy + - compute.regionOperations.list + - compute.regionSslCertificates.get + - compute.regionSslCertificates.list + - compute.regionTargetHttpProxies.get + - compute.regionTargetHttpProxies.list + - compute.regionTargetHttpsProxies.get + - compute.regionTargetHttpsProxies.list + - compute.regionUrlMaps.get + - compute.regionUrlMaps.list + - compute.regionUrlMaps.validate + - compute.regions.get + - compute.regions.list + - compute.reservations.get + - compute.reservations.list + - compute.resourcePolicies.get + - compute.resourcePolicies.list + - compute.routers.get + - compute.routers.list + - compute.routes.get + - compute.routes.list + - compute.securityPolicies.get + - compute.securityPolicies.getIamPolicy + - compute.securityPolicies.list + - compute.serviceAttachments.get + - compute.serviceAttachments.list + - compute.snapshots.get + - compute.snapshots.getIamPolicy + - compute.snapshots.list + - compute.sslCertificates.get + - compute.sslCertificates.list + - compute.sslPolicies.get + - compute.sslPolicies.list + - compute.sslPolicies.listAvailableFeatures + - compute.subnetworks.get + - compute.subnetworks.getIamPolicy + - compute.subnetworks.list + - compute.targetGrpcProxies.get + - compute.targetGrpcProxies.list + - compute.targetHttpProxies.get + - compute.targetHttpProxies.list + - compute.targetHttpsProxies.get + - compute.targetHttpsProxies.list + - compute.targetInstances.get + - compute.targetInstances.list + - compute.targetPools.get + - compute.targetPools.list + - compute.targetSslProxies.get + - compute.targetSslProxies.list + - compute.targetTcpProxies.get + - compute.targetTcpProxies.list + - compute.targetVpnGateways.get + - compute.targetVpnGateways.list + - compute.urlMaps.get + - compute.urlMaps.list + - compute.urlMaps.validate + - compute.vpnGateways.get + - compute.vpnGateways.list + - compute.vpnTunnels.get + - compute.vpnTunnels.list + - compute.zoneOperations.get + - compute.zoneOperations.getIamPolicy + - compute.zoneOperations.list + - compute.zones.get + - compute.zones.list + - consumerprocurement.accounts.list + - consumerprocurement.entitlements.list + - consumerprocurement.freeTrials.list + - consumerprocurement.orders.list + - container.apiServices.list + - container.auditSinks.list + - container.backendConfigs.list + - container.bindings.list + - container.certificateSigningRequests.list + - container.clusterRoleBindings.list + - container.clusterRoles.list + - container.clusters.list + - container.componentStatuses.list + - container.configMaps.list + - container.controllerRevisions.list + - container.cronJobs.list + - container.csiDrivers.list + - container.csiNodeInfos.list + - container.csiNodes.list + - container.customResourceDefinitions.list + - container.daemonSets.list + - container.deployments.list + - container.endpointSlices.list + - container.endpoints.list + - container.events.list + - container.frontendConfigs.list + - container.horizontalPodAutoscalers.list + - container.ingresses.list + - container.initializerConfigurations.list + - container.jobs.list + - container.leases.list + - container.limitRanges.list + - container.localSubjectAccessReviews.list + - container.managedCertificates.list + - container.mutatingWebhookConfigurations.list + - container.namespaces.list + - container.networkPolicies.list + - container.nodes.list + - container.operations.list + - container.persistentVolumeClaims.list + - container.persistentVolumes.list + - container.petSets.list + - container.podDisruptionBudgets.list + - container.podPresets.list + - container.podSecurityPolicies.list + - container.podTemplates.list + - container.pods.list + - container.priorityClasses.list + - container.replicaSets.list + - container.replicationControllers.list + - container.resourceQuotas.list + - container.roleBindings.list + - container.roles.list + - container.runtimeClasses.list + - container.scheduledJobs.list + - container.selfSubjectAccessReviews.list + - container.serviceAccounts.list + - container.services.list + - container.statefulSets.list + - container.storageClasses.list + - container.storageStates.list + - container.storageVersionMigrations.list + - container.subjectAccessReviews.list + - container.thirdPartyObjects.list + - container.thirdPartyResources.list + - container.updateInfos.list + - container.validatingWebhookConfigurations.list + - container.volumeAttachments.list + - container.volumeSnapshotClasses.list + - container.volumeSnapshotContents.list + - container.volumeSnapshots.list + - containeranalysis.notes.getIamPolicy + - containeranalysis.notes.list + - containeranalysis.occurrences.getIamPolicy + - containeranalysis.occurrences.list + - datacatalog.categories.getIamPolicy + - datacatalog.entries.getIamPolicy + - datacatalog.entries.list + - datacatalog.entryGroups.getIamPolicy + - datacatalog.entryGroups.list + - datacatalog.tagTemplates.getIamPolicy + - datacatalog.taxonomies.getIamPolicy + - datacatalog.taxonomies.list + - dataflow.jobs.list + - dataflow.messages.list + - dataflow.snapshots.list + - datafusion.instances.getIamPolicy + - datafusion.instances.list + - datafusion.locations.list + - datafusion.operations.list + - datalabeling.annotateddatasets.list + - datalabeling.annotationspecsets.list + - datalabeling.dataitems.list + - datalabeling.datasets.list + - datalabeling.examples.list + - datalabeling.instructions.list + - datalabeling.operations.list + - datamigration.connectionprofiles.getIamPolicy + - datamigration.connectionprofiles.list + - datamigration.locations.list + - datamigration.migrationjobs.getIamPolicy + - datamigration.migrationjobs.list + - datamigration.operations.list + - dataproc.agents.list + - dataproc.autoscalingPolicies.getIamPolicy + - dataproc.autoscalingPolicies.list + - dataproc.clusters.getIamPolicy + - dataproc.clusters.list + - dataproc.jobs.getIamPolicy + - dataproc.jobs.list + - dataproc.operations.getIamPolicy + - dataproc.operations.list + - dataproc.workflowTemplates.getIamPolicy + - dataproc.workflowTemplates.list + - dataprocessing.datasources.list + - dataprocessing.featurecontrols.list + - dataprocessing.groupcontrols.list + - deploymentmanager.compositeTypes.list + - deploymentmanager.deployments.getIamPolicy + - deploymentmanager.deployments.list + - deploymentmanager.manifests.list + - deploymentmanager.operations.list + - deploymentmanager.resources.list + - deploymentmanager.typeProviders.list + - deploymentmanager.types.list + - dialogflow.agents.list + - dialogflow.contexts.list + - dialogflow.documents.list + - dialogflow.entityTypes.list + - dialogflow.environments.list + - dialogflow.flows.list + - dialogflow.intents.list + - dialogflow.knowledgeBases.list + - dialogflow.pages.list + - dialogflow.sessionEntityTypes.list + - dialogflow.transitionRouteGroups.list + - dialogflow.versions.list + - dialogflow.webhooks.list + - dlp.analyzeRiskTemplates.list + - dlp.deidentifyTemplates.list + - dlp.inspectFindings.list + - dlp.inspectTemplates.list + - dlp.jobTriggers.list + - dlp.jobs.list + - dlp.storedInfoTypes.list + - dns.changes.get + - dns.changes.list + - dns.dnsKeys.get + - dns.dnsKeys.list + - dns.managedZoneOperations.get + - dns.managedZoneOperations.list + - dns.managedZones.get + - dns.managedZones.list + - dns.policies.get + - dns.policies.getIamPolicy + - dns.policies.list + - dns.projects.get + - dns.resourceRecordSets.list + - documentai.evaluations.list + - documentai.labelerPools.list + - documentai.locations.list + - documentai.processorTypes.list + - documentai.processorVersions.list + - documentai.processors.list + - domains.locations.list + - domains.operations.list + - earlyaccesscenter.campaigns.list + - earlyaccesscenter.customerAllowlists.list + - earthengine.assets.getIamPolicy + - earthengine.assets.list + - earthengine.operations.list + - errorreporting.applications.list + - errorreporting.errorEvents.list + - errorreporting.groups.list + - essentialcontacts.contacts.list + - eventarc.locations.list + - eventarc.operations.list + - eventarc.triggers.getIamPolicy + - eventarc.triggers.list + - file.backups.list + - file.instances.list + - file.locations.list + - file.operations.list + - file.snapshots.list + - firebase.clients.list + - firebase.links.list + - firebaseabt.experiments.list + - firebaseappdistro.groups.list + - firebaseappdistro.releases.list + - firebaseappdistro.testers.list + - firebasecrashlytics.issues.list + - firebasedatabase.instances.list + - firebasedynamiclinks.destinations.list + - firebasedynamiclinks.domains.list + - firebasedynamiclinks.links.list + - firebaseextensions.configs.list + - firebasehosting.sites.list + - firebaseinappmessaging.campaigns.list + - firebaseml.compressionjobs.list + - firebaseml.models.list + - firebaseml.modelversions.list + - firebasenotifications.messages.list + - firebasepredictions.predictions.list + - firebaserules.releases.list + - firebaserules.rulesets.list + - firebasestorage.buckets.list + - gameservices.gameServerClusters.list + - gameservices.gameServerConfigs.list + - gameservices.gameServerDeployments.list + - gameservices.locations.list + - gameservices.operations.list + - gameservices.realms.list + - genomics.datasets.getIamPolicy + - genomics.datasets.list + - genomics.operations.list + - gsuiteaddons.deployments.list + - healthcare.annotationStores.getIamPolicy + - healthcare.annotationStores.list + - healthcare.annotations.list + - healthcare.attributeDefinitions.list + - healthcare.consentArtifacts.list + - healthcare.consentStores.getIamPolicy + - healthcare.consentStores.list + - healthcare.consents.list + - healthcare.datasets.getIamPolicy + - healthcare.datasets.list + - healthcare.dicomStores.getIamPolicy + - healthcare.dicomStores.list + - healthcare.fhirStores.getIamPolicy + - healthcare.fhirStores.list + - healthcare.hl7V2Messages.list + - healthcare.hl7V2Stores.getIamPolicy + - healthcare.hl7V2Stores.list + - healthcare.locations.list + - healthcare.operations.list + - healthcare.userDataMappings.list + - iam.googleapis.com/workloadIdentityPoolProviders.list + - iam.googleapis.com/workloadIdentityPools.list + - iam.roles.get + - iam.roles.list + - iam.serviceAccountKeys.list + - iam.serviceAccounts.get + - iam.serviceAccounts.getIamPolicy + - iam.serviceAccounts.list + - iap.tunnel.getIamPolicy + - iap.tunnelInstances.getIamPolicy + - iap.tunnelZones.getIamPolicy + - iap.web.getIamPolicy + - iap.webServiceVersions.getIamPolicy + - iap.webServices.getIamPolicy + - iap.webTypes.getIamPolicy + - identityplatform.workloadPoolProviders.list + - identityplatform.workloadPools.list + - lifesciences.operations.list + - logging.buckets.list + - logging.exclusions.list + - logging.locations.list + - logging.logEntries.list + - logging.logMetrics.list + - logging.logServiceIndexes.list + - logging.logServices.list + - logging.logs.list + - logging.notificationRules.list + - logging.privateLogEntries.list + - logging.queries.list + - logging.sinks.list + - logging.views.list + - managedidentities.domains.getIamPolicy + - managedidentities.domains.list + - managedidentities.locations.list + - managedidentities.operations.list + - memcache.instances.list + - memcache.locations.list + - memcache.operations.list + - metastore.imports.list + - metastore.locations.list + - metastore.operations.list + - metastore.services.getIamPolicy + - metastore.services.list + - ml.jobs.getIamPolicy + - ml.jobs.list + - ml.locations.list + - ml.models.getIamPolicy + - ml.models.list + - ml.operations.list + - ml.studies.getIamPolicy + - ml.studies.list + - ml.trials.list + - ml.versions.list + - monitoring.alertPolicies.list + - monitoring.dashboards.list + - monitoring.groups.list + - monitoring.metricDescriptors.list + - monitoring.monitoredResourceDescriptors.list + - monitoring.notificationChannelDescriptors.list + - monitoring.notificationChannels.list + - monitoring.publicWidgets.list + - monitoring.services.list + - monitoring.slos.list + - monitoring.timeSeries.list + - monitoring.uptimeCheckConfigs.list + - networkmanagement.connectivitytests.getIamPolicy + - networkmanagement.connectivitytests.list + - networkmanagement.locations.list + - networkmanagement.operations.list + - networksecurity.authorizationPolicies.getIamPolicy + - networksecurity.authorizationPolicies.list + - networksecurity.clientTlsPolicies.getIamPolicy + - networksecurity.clientTlsPolicies.list + - networksecurity.locations.list + - networksecurity.operations.list + - networksecurity.serverTlsPolicies.getIamPolicy + - networksecurity.serverTlsPolicies.list + - networkservices.endpointConfigSelectors.getIamPolicy + - networkservices.endpointConfigSelectors.list + - networkservices.httpFilters.getIamPolicy + - networkservices.httpFilters.list + - networkservices.httpfilters.getIamPolicy + - networkservices.httpfilters.list + - networkservices.locations.list + - networkservices.operations.list + - notebooks.environments.getIamPolicy + - notebooks.environments.list + - notebooks.executions.getIamPolicy + - notebooks.executions.list + - notebooks.instances.getIamPolicy + - notebooks.instances.list + - notebooks.locations.list + - notebooks.operations.list + - notebooks.schedules.getIamPolicy + - notebooks.schedules.list + - ondemandscanning.operations.list + - osconfig.guestPolicies.list + - osconfig.patchDeployments.list + - osconfig.patchJobs.list + - policysimulator.replayResults.list + - policysimulator.replays.list + - privateca.certificateAuthorities.getIamPolicy + - privateca.certificateAuthorities.list + - privateca.certificateRevocationLists.getIamPolicy + - privateca.certificateRevocationLists.list + - privateca.certificates.getIamPolicy + - privateca.certificates.list + - privateca.locations.list + - privateca.operations.list + - privateca.reusableConfigs.getIamPolicy + - privateca.reusableConfigs.list + - proximitybeacon.attachments.list + - proximitybeacon.beacons.getIamPolicy + - proximitybeacon.beacons.list + - proximitybeacon.namespaces.getIamPolicy + - proximitybeacon.namespaces.list + - pubsub.schemas.getIamPolicy + - pubsub.schemas.list + - pubsub.snapshots.getIamPolicy + - pubsub.snapshots.list + - pubsub.subscriptions.getIamPolicy + - pubsub.subscriptions.list + - pubsub.topics.getIamPolicy + - pubsub.topics.list + - pubsublite.subscriptions.list + - pubsublite.topics.list + - recaptchaenterprise.keys.list + - recommender.commitmentUtilizationInsights.list + - recommender.computeAddressIdleResourceInsights.list + - recommender.computeAddressIdleResourceRecommendations.list + - recommender.computeDiskIdleResourceInsights.list + - recommender.computeDiskIdleResourceRecommendations.list + - recommender.computeFirewallInsights.list + - recommender.computeImageIdleResourceInsights.list + - recommender.computeImageIdleResourceRecommendations.list + - recommender.computeInstanceGroupManagerMachineTypeRecommendations.list + - recommender.computeInstanceIdleResourceRecommendations.list + - recommender.computeInstanceMachineTypeRecommendations.list + - recommender.iamPolicyInsights.list + - recommender.iamPolicyRecommendations.list + - recommender.iamServiceAccountInsights.list + - recommender.locations.list + - recommender.loggingProductSuggestionContainerInsights.list + - recommender.loggingProductSuggestionContainerRecommendations.list + - recommender.monitoringProductSuggestionComputeInsights.list + - recommender.monitoringProductSuggestionComputeRecommendations.list + - recommender.usageCommitmentRecommendations.list + - redis.instances.list + - redis.locations.list + - redis.operations.list + - remotebuildexecution.instances.list + - remotebuildexecution.workerpools.list + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - resourcemanager.resourceTagBindings.list + - resourcemanager.tagKeys.getIamPolicy + - resourcemanager.tagKeys.list + - resourcemanager.tagValues.getIamPolicy + - resourcemanager.tagValues.list + - retail.catalogs.list + - retail.operations.list + - retail.products.list + - run.configurations.list + - run.locations.list + - run.revisions.list + - run.routes.list + - run.services.getIamPolicy + - run.services.list + - runtimeconfig.configs.getIamPolicy + - runtimeconfig.configs.list + - runtimeconfig.operations.list + - runtimeconfig.variables.getIamPolicy + - runtimeconfig.variables.list + - runtimeconfig.waiters.getIamPolicy + - runtimeconfig.waiters.list + - secretmanager.locations.list + - secretmanager.secrets.getIamPolicy + - secretmanager.secrets.list + - secretmanager.versions.list + - securitycenter.assets.list + - securitycenter.findings.list + - securitycenter.notificationconfig.list + - securitycenter.sources.getIamPolicy + - securitycenter.sources.list + - servicebroker.bindingoperations.list + - servicebroker.bindings.getIamPolicy + - servicebroker.bindings.list + - servicebroker.catalogs.getIamPolicy + - servicebroker.catalogs.list + - servicebroker.instanceoperations.list + - servicebroker.instances.getIamPolicy + - servicebroker.instances.list + - serviceconsumermanagement.tenancyu.list + - servicedirectory.endpoints.getIamPolicy + - servicedirectory.endpoints.list + - servicedirectory.locations.list + - servicedirectory.namespaces.getIamPolicy + - servicedirectory.namespaces.list + - servicedirectory.services.getIamPolicy + - servicedirectory.services.list + - servicemanagement.services.getIamPolicy + - servicemanagement.services.list + - servicenetworking.operations.list + - serviceusage.operations.get + - serviceusage.operations.list + - serviceusage.quotas.get + - serviceusage.services.get + - serviceusage.services.list + - serviceusage.services.use + - source.repos.getIamPolicy + - source.repos.list + - spanner.backupOperations.list + - spanner.backups.getIamPolicy + - spanner.backups.list + - spanner.databaseOperations.list + - spanner.databases.getIamPolicy + - spanner.databases.list + - spanner.instanceConfigs.list + - spanner.instanceOperations.list + - spanner.instances.getIamPolicy + - spanner.instances.list + - spanner.sessions.list + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.list + - storage.hmacKeys.list + - storage.objects.getIamPolicy + - storage.objects.list + - storagetransfer.jobs.list + - storagetransfer.operations.list + - tpu.acceleratortypes.list + - tpu.locations.list + - tpu.nodes.list + - tpu.operations.list + - tpu.tensorflowversions.list + - transcoder.jobTemplates.list + - transcoder.jobs.list + - vmmigration.deployments.list + - vpcaccess.connectors.list + - vpcaccess.locations.list + - vpcaccess.operations.list + - workflows.executions.list + - workflows.locations.list + - workflows.operations.list + - workflows.workflows.getIamPolicy + - workflows.workflows.list +name: audit.viewer +stage: GA +title: Audit Viewer diff --git a/infra/gcp/roles/generate-role-yaml.sh b/infra/gcp/roles/generate-role-yaml.sh new file mode 100755 index 00000000000..a47802e4033 --- /dev/null +++ b/infra/gcp/roles/generate-role-yaml.sh @@ -0,0 +1,121 @@ +#!/usr/bin/env bash +# +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This generates GCP IAM roles based on the following YAML spec: +# +# # role name, e.g. +# name: "foo.bar" +# # human readable title for the role, e.g. +# title: "Foo Barrer" +# # human readable description for the role, e.g. +# description: "Allows doing Bar on Foo resources" +# # include permissions from the following... +# include: +# # a list of permissions, e.g. +# permissions: +# - foo.bar.doSomething +# # a list of roles, e.g. +# roles: +# - roles/foo.bar +# # only include permissions matching any extended regex in this list, e.g. +# permissionRegxes: +# - ^foo.bar.(get|list) +# exclude: +# # exclude any permissions matching any extended regex in this list, e.g. +# permissionRegexes: +# - SuperDangerousOperation$ +# +# Roles are saved to `${name}.yaml` files intended for comparison with yaml +# dumped by gcloud, or creation via gcloud, e.g. +# +# gcloud iam roles describe roles/foo --format=yaml | yq -y 'del(.etag)' > foo.yaml +# generate-role-yaml.sh specs/foo.bar.yaml +# diff foo.yaml foo.bar.yaml +# gcloud iam roles create --project project-id foo.bar --file foo.bar.yaml + +set -o errexit +set -o nounset +set -o pipefail + +repo_root=$(git rev-parse --show-toplevel) +script_dir=$(dirname "${BASH_SOURCE[0]}") +script_name=$(basename "${BASH_SOURCE[0]}") +input_dir="${script_dir}/specs" +output_dir="${script_dir}" + +function usage() { + echo "usage: ${script_name} [path...]" > /dev/stderr + echo "example:" > /dev/stderr + echo " ${script_name} # all roles defined in ${input_dir}" > /dev/stderr + echo " ${script_name} ${input_dir}/spec/foo.bar.yaml # just do one" > /dev/stderr + echo > /dev/stderr +} + +function output_role_yaml() { + local spec="${1}" + + local title description name include_roles include_permissions include_regex exclude_regex + title=$(<"${spec}" yq -r .title) + description=$(<"${spec}" yq -r .description) + name=$(<"${spec}" yq -r .name) + mapfile -t include_roles < <(<"${spec}" yq -r '.include? | .roles//[] | .[]') + mapfile -t include_permissions < <(<"${spec}" yq -r '.include? | .permissions//[] | .[]') + include_regex=$(<"${spec}" yq -r '.include? | .permissionRegexes//[] | join("|")') + exclude_regex=$(<"${spec}" yq -r '.exclude? | .permissionRegexes//[] | join("|")') + + local output_path="${output_dir}/${name}.yaml" + ( + echo "#### generated by ${script_name} from the following spec:" + echo "#" + <"${spec}" sed -e 's/^/# /' + echo "#" + + # fields are output in alphabetal order to match output from gcloud + echo "description: ${description}" + echo "includedPermissions:" + ( + for permission in "${include_permissions[@]}"; do + echo "${permission}" + done + for role in "${include_roles[@]}"; do + gcloud iam roles describe "${role}" --format="yaml(includedPermissions)" | tail -n +2 + # strip list prefixes so regexes match permission name as full line + done | sed -e 's/^- //' + ) | sort | uniq | \ + grep -E "${include_regex:-""}" | \ + grep -v -E "${exclude_regex:-'^$'}" | \ + sed -e 's/^/ - &/' + echo "name: ${name}" + echo "stage: GA" + echo "title: ${title}" + ) > "${output_path}" +} + +if ! command -v yq &>/dev/null; then + echo >/dev/stderr "yq not found. Please install with pip3 install -r ${repo_root}/requirements.txt" + return 1 +fi + +if [ $# = 0 ]; then + # default to everything under our input dir + set -- "${input_dir}" +fi + +for path; do + for f in $(find ${path} -type f -name '*.yaml' | sort); do + output_role_yaml "${f}" + done +done diff --git a/infra/gcp/roles/organization.admin.yaml b/infra/gcp/roles/organization.admin.yaml new file mode 100644 index 00000000000..4668979c0cf --- /dev/null +++ b/infra/gcp/roles/organization.admin.yaml @@ -0,0 +1,45 @@ +#### generated by generate-role-yaml.sh from the following spec: +# +# # permissions that are required beyond roles/owner to effectively manage +# # our GCP organization, at least according to the role bindings that have +# # been manually added to org admins thus far +# title: Organization Admin +# description: Access to administer all resources belonging to the organization +# name: organization.admin +# include: +# roles: +# - roles/billing.user +# - roles/resourcemanager.folderAdmin +# - roles/resourcemanager.organizationAdmin +# - roles/resourcemanager.projectCreator +# +description: Access to administer all resources belonging to the organization +includedPermissions: + - billing.accounts.get + - billing.accounts.getIamPolicy + - billing.accounts.list + - billing.accounts.redeemPromotion + - billing.credits.list + - billing.resourceAssociations.create + - orgpolicy.policy.get + - resourcemanager.folders.create + - resourcemanager.folders.delete + - resourcemanager.folders.get + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.folders.move + - resourcemanager.folders.setIamPolicy + - resourcemanager.folders.undelete + - resourcemanager.folders.update + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.organizations.setIamPolicy + - resourcemanager.projects.create + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - resourcemanager.projects.move + - resourcemanager.projects.setIamPolicy +name: organization.admin +stage: GA +title: Organization Admin diff --git a/infra/gcp/roles/prow.viewer.yaml b/infra/gcp/roles/prow.viewer.yaml index fd11f77c7f5..7c587719d8e 100644 --- a/infra/gcp/roles/prow.viewer.yaml +++ b/infra/gcp/roles/prow.viewer.yaml @@ -1,328 +1,418 @@ -title: Prow Viewer +#### generated by generate-role-yaml.sh from the following spec: +# +# # a subset of convenience role roles/viewer to allow community members +# # to view resources used by prow or jobs that lease e2e projects from boskos +# # using GCP console or gcloud commands +# title: Prow Viewer +# description: View access to services for troubleshooting prow +# name: prow.viewer +# include: +# roles: +# - roles/compute.viewer +# - roles/container.clusterViewer +# - roles/container.viewer +# - roles/logging.viewer +# - roles/monitoring.viewer +# permissions: +# - storage.buckets.get +# - storage.buckets.getIamPolicy +# - storage.buckets.list +# - storage.objects.get +# - storage.objects.list +# description: View access to services for troubleshooting prow -stage: ALPHA includedPermissions: -- resourcemanager.projects.get -- resourcemanager.projects.list -# roles/compute.viewer -- compute.acceleratorTypes.get -- compute.acceleratorTypes.list -- compute.addresses.get -- compute.addresses.list -- compute.autoscalers.get -- compute.autoscalers.list -- compute.backendBuckets.get -- compute.backendBuckets.list -- compute.backendServices.get -- compute.backendServices.list -- compute.commitments.get -- compute.commitments.list -- compute.diskTypes.get -- compute.diskTypes.list -- compute.disks.get -- compute.disks.getIamPolicy -- compute.disks.list -- compute.externalVpnGateways.get -- compute.externalVpnGateways.list -- compute.firewalls.get -- compute.firewalls.list -- compute.forwardingRules.get -- compute.forwardingRules.list -- compute.globalAddresses.get -- compute.globalAddresses.list -- compute.globalForwardingRules.get -- compute.globalForwardingRules.list -- compute.globalOperations.get -- compute.globalOperations.getIamPolicy -- compute.globalOperations.list -- compute.globalPublicDelegatedPrefixes.get -- compute.globalPublicDelegatedPrefixes.list -- compute.healthChecks.get -- compute.healthChecks.list -- compute.httpHealthChecks.get -- compute.httpHealthChecks.list -- compute.httpsHealthChecks.get -- compute.httpsHealthChecks.list -- compute.images.get -- compute.images.getFromFamily -- compute.images.getIamPolicy -- compute.images.list -- compute.instanceGroupManagers.get -- compute.instanceGroupManagers.list -- compute.instanceGroups.get -- compute.instanceGroups.list -- compute.instanceTemplates.get -- compute.instanceTemplates.getIamPolicy -- compute.instanceTemplates.list -- compute.instances.get -- compute.instances.getEffectiveFirewalls -- compute.instances.getGuestAttributes -- compute.instances.getIamPolicy -- compute.instances.getScreenshot -- compute.instances.getSerialPortOutput -- compute.instances.getShieldedInstanceIdentity -- compute.instances.getShieldedVmIdentity -- compute.instances.list -- compute.instances.listReferrers -- compute.interconnectAttachments.get -- compute.interconnectAttachments.list -- compute.interconnectLocations.get -- compute.interconnectLocations.list -- compute.interconnects.get -- compute.interconnects.list -- compute.licenseCodes.get -- compute.licenseCodes.getIamPolicy -- compute.licenseCodes.list -- compute.licenses.get -- compute.licenses.getIamPolicy -- compute.licenses.list -- compute.machineTypes.get -- compute.machineTypes.list -- compute.maintenancePolicies.get -- compute.maintenancePolicies.getIamPolicy -- compute.maintenancePolicies.list -- compute.networkEndpointGroups.get -- compute.networkEndpointGroups.getIamPolicy -- compute.networkEndpointGroups.list -- compute.networks.get -- compute.networks.getEffectiveFirewalls -- compute.networks.list -- compute.networks.listPeeringRoutes -- compute.nodeGroups.get -- compute.nodeGroups.getIamPolicy -- compute.nodeGroups.list -- compute.nodeTemplates.get -- compute.nodeTemplates.getIamPolicy -- compute.nodeTemplates.list -- compute.nodeTypes.get -- compute.nodeTypes.list -- compute.organizations.listAssociations -- compute.projects.get -- compute.publicAdvertisedPrefixes.get -- compute.publicAdvertisedPrefixes.list -- compute.publicDelegatedPrefixes.get -- compute.publicDelegatedPrefixes.list -- compute.regionBackendServices.get -- compute.regionBackendServices.list -- compute.regionHealthCheckServices.get -- compute.regionHealthCheckServices.list -- compute.regionNotificationEndpoints.get -- compute.regionNotificationEndpoints.list -- compute.regionOperations.get -- compute.regionOperations.getIamPolicy -- compute.regionOperations.list -- compute.regions.get -- compute.regions.list -- compute.reservations.get -- compute.reservations.list -- compute.resourcePolicies.get -- compute.resourcePolicies.list -- compute.routers.get -- compute.routers.list -- compute.routes.get -- compute.routes.list -- compute.securityPolicies.get -- compute.securityPolicies.getIamPolicy -- compute.securityPolicies.list -- compute.snapshots.get -- compute.snapshots.getIamPolicy -- compute.snapshots.list -- compute.sslCertificates.get -- compute.sslCertificates.list -- compute.sslPolicies.get -- compute.sslPolicies.list -- compute.sslPolicies.listAvailableFeatures -- compute.subnetworks.get -- compute.subnetworks.getIamPolicy -- compute.subnetworks.list -- compute.targetHttpProxies.get -- compute.targetHttpProxies.list -- compute.targetHttpsProxies.get -- compute.targetHttpsProxies.list -- compute.targetInstances.get -- compute.targetInstances.list -- compute.targetPools.get -- compute.targetPools.list -- compute.targetSslProxies.get -- compute.targetSslProxies.list -- compute.targetTcpProxies.get -- compute.targetTcpProxies.list -- compute.targetVpnGateways.get -- compute.targetVpnGateways.list -- compute.urlMaps.get -- compute.urlMaps.list -- compute.urlMaps.validate -- compute.vpnGateways.get -- compute.vpnGateways.list -- compute.vpnTunnels.get -- compute.vpnTunnels.list -- compute.zoneOperations.get -- compute.zoneOperations.getIamPolicy -- compute.zoneOperations.list -- compute.zones.get -- compute.zones.list -- resourcemanager.projects.get -- resourcemanager.projects.list -- serviceusage.quotas.get -- serviceusage.services.get -- serviceusage.services.list -# roles/container.clusterViewer -- container.clusters.get -- container.clusters.list -# roles/container.viewer -- container.apiServices.get -- container.apiServices.list -- container.backendConfigs.get -- container.backendConfigs.list -- container.bindings.get -- container.bindings.list -- container.certificateSigningRequests.get -- container.certificateSigningRequests.list -- container.clusterRoleBindings.get -- container.clusterRoleBindings.list -- container.clusterRoles.get -- container.clusterRoles.list -- container.clusters.get -- container.clusters.list -- container.componentStatuses.get -- container.componentStatuses.list -- container.configMaps.get -- container.configMaps.list -- container.controllerRevisions.get -- container.controllerRevisions.list -- container.cronJobs.get -- container.cronJobs.getStatus -- container.cronJobs.list -- container.csiDrivers.get -- container.csiDrivers.list -- container.csiNodes.get -- container.csiNodes.list -- container.customResourceDefinitions.get -- container.customResourceDefinitions.list -- container.daemonSets.get -- container.daemonSets.getStatus -- container.daemonSets.list -- container.deployments.get -- container.deployments.getStatus -- container.deployments.list -- container.endpoints.get -- container.endpoints.list -- container.events.get -- container.events.list -- container.horizontalPodAutoscalers.get -- container.horizontalPodAutoscalers.getStatus -- container.horizontalPodAutoscalers.list -- container.ingresses.get -- container.ingresses.getStatus -- container.ingresses.list -- container.initializerConfigurations.get -- container.initializerConfigurations.list -- container.jobs.get -- container.jobs.getStatus -- container.jobs.list -- container.limitRanges.get -- container.limitRanges.list -- container.namespaces.get -- container.namespaces.getStatus -- container.namespaces.list -- container.networkPolicies.get -- container.networkPolicies.list -- container.nodes.get -- container.nodes.getStatus -- container.nodes.list -- container.operations.get -- container.operations.list -- container.persistentVolumeClaims.get -- container.persistentVolumeClaims.getStatus -- container.persistentVolumeClaims.list -- container.persistentVolumes.get -- container.persistentVolumes.getStatus -- container.persistentVolumes.list -- container.petSets.get -- container.petSets.list -- container.podDisruptionBudgets.get -- container.podDisruptionBudgets.getStatus -- container.podDisruptionBudgets.list -- container.podPresets.get -- container.podPresets.list -- container.podSecurityPolicies.get -- container.podSecurityPolicies.list -- container.podTemplates.get -- container.podTemplates.list -- container.pods.get -- container.pods.getStatus -- container.pods.list -- container.replicaSets.get -- container.replicaSets.getScale -- container.replicaSets.getStatus -- container.replicaSets.list -- container.replicationControllers.get -- container.replicationControllers.getScale -- container.replicationControllers.getStatus -- container.replicationControllers.list -- container.resourceQuotas.get -- container.resourceQuotas.getStatus -- container.resourceQuotas.list -- container.roleBindings.get -- container.roleBindings.list -- container.roles.get -- container.roles.list -- container.runtimeClasses.get -- container.runtimeClasses.list -- container.scheduledJobs.get -- container.scheduledJobs.list -- container.serviceAccounts.get -- container.serviceAccounts.list -- container.services.get -- container.services.getStatus -- container.services.list -- container.statefulSets.get -- container.statefulSets.getStatus -- container.statefulSets.list -- container.storageClasses.get -- container.storageClasses.list -- container.thirdPartyObjects.get -- container.thirdPartyObjects.list -- container.thirdPartyResources.get -- container.thirdPartyResources.list -- container.tokenReviews.create -# roles/logging.viewer -- logging.buckets.get -- logging.buckets.list -- logging.exclusions.get -- logging.exclusions.list -- logging.logEntries.list -- logging.logMetrics.get -- logging.logMetrics.list -- logging.logServiceIndexes.list -- logging.logServices.list -- logging.logs.list -- logging.sinks.get -- logging.sinks.list -- logging.usage.get -# roles/monitoring.viewer -- cloudnotifications.activities.list -- monitoring.alertPolicies.get -- monitoring.alertPolicies.list -- monitoring.dashboards.get -- monitoring.dashboards.list -- monitoring.groups.get -- monitoring.groups.list -- monitoring.metricDescriptors.get -- monitoring.metricDescriptors.list -- monitoring.monitoredResourceDescriptors.get -- monitoring.monitoredResourceDescriptors.list -- monitoring.notificationChannelDescriptors.get -- monitoring.notificationChannelDescriptors.list -- monitoring.notificationChannels.get -- monitoring.notificationChannels.list -- monitoring.publicWidgets.get -- monitoring.publicWidgets.list -- monitoring.services.get -- monitoring.services.list -- monitoring.slos.get -- monitoring.slos.list -- monitoring.timeSeries.list -- monitoring.uptimeCheckConfigs.get -- monitoring.uptimeCheckConfigs.list -- stackdriver.projects.get + - cloudnotifications.activities.list + - compute.acceleratorTypes.get + - compute.acceleratorTypes.list + - compute.addresses.get + - compute.addresses.list + - compute.autoscalers.get + - compute.autoscalers.list + - compute.backendBuckets.get + - compute.backendBuckets.list + - compute.backendServices.get + - compute.backendServices.list + - compute.commitments.get + - compute.commitments.list + - compute.diskTypes.get + - compute.diskTypes.list + - compute.disks.get + - compute.disks.getIamPolicy + - compute.disks.list + - compute.externalVpnGateways.get + - compute.externalVpnGateways.list + - compute.firewallPolicies.get + - compute.firewallPolicies.getIamPolicy + - compute.firewallPolicies.list + - compute.firewalls.get + - compute.firewalls.list + - compute.forwardingRules.get + - compute.forwardingRules.list + - compute.globalAddresses.get + - compute.globalAddresses.list + - compute.globalForwardingRules.get + - compute.globalForwardingRules.list + - compute.globalForwardingRules.pscGet + - compute.globalNetworkEndpointGroups.get + - compute.globalNetworkEndpointGroups.list + - compute.globalOperations.get + - compute.globalOperations.getIamPolicy + - compute.globalOperations.list + - compute.globalPublicDelegatedPrefixes.get + - compute.globalPublicDelegatedPrefixes.list + - compute.healthChecks.get + - compute.healthChecks.list + - compute.httpHealthChecks.get + - compute.httpHealthChecks.list + - compute.httpsHealthChecks.get + - compute.httpsHealthChecks.list + - compute.images.get + - compute.images.getFromFamily + - compute.images.getIamPolicy + - compute.images.list + - compute.instanceGroupManagers.get + - compute.instanceGroupManagers.list + - compute.instanceGroups.get + - compute.instanceGroups.list + - compute.instanceTemplates.get + - compute.instanceTemplates.getIamPolicy + - compute.instanceTemplates.list + - compute.instances.get + - compute.instances.getEffectiveFirewalls + - compute.instances.getGuestAttributes + - compute.instances.getIamPolicy + - compute.instances.getScreenshot + - compute.instances.getSerialPortOutput + - compute.instances.getShieldedInstanceIdentity + - compute.instances.getShieldedVmIdentity + - compute.instances.list + - compute.instances.listReferrers + - compute.interconnectAttachments.get + - compute.interconnectAttachments.list + - compute.interconnectLocations.get + - compute.interconnectLocations.list + - compute.interconnects.get + - compute.interconnects.list + - compute.licenseCodes.get + - compute.licenseCodes.getIamPolicy + - compute.licenseCodes.list + - compute.licenses.get + - compute.licenses.getIamPolicy + - compute.licenses.list + - compute.machineImages.get + - compute.machineImages.getIamPolicy + - compute.machineImages.list + - compute.machineTypes.get + - compute.machineTypes.list + - compute.maintenancePolicies.get + - compute.maintenancePolicies.getIamPolicy + - compute.maintenancePolicies.list + - compute.networkEndpointGroups.get + - compute.networkEndpointGroups.getIamPolicy + - compute.networkEndpointGroups.list + - compute.networks.get + - compute.networks.getEffectiveFirewalls + - compute.networks.list + - compute.networks.listPeeringRoutes + - compute.nodeGroups.get + - compute.nodeGroups.getIamPolicy + - compute.nodeGroups.list + - compute.nodeTemplates.get + - compute.nodeTemplates.getIamPolicy + - compute.nodeTemplates.list + - compute.nodeTypes.get + - compute.nodeTypes.list + - compute.organizations.listAssociations + - compute.projects.get + - compute.publicAdvertisedPrefixes.get + - compute.publicAdvertisedPrefixes.list + - compute.publicDelegatedPrefixes.get + - compute.publicDelegatedPrefixes.list + - compute.regionBackendServices.get + - compute.regionBackendServices.list + - compute.regionHealthCheckServices.get + - compute.regionHealthCheckServices.list + - compute.regionHealthChecks.get + - compute.regionHealthChecks.list + - compute.regionNetworkEndpointGroups.get + - compute.regionNetworkEndpointGroups.list + - compute.regionNotificationEndpoints.get + - compute.regionNotificationEndpoints.list + - compute.regionOperations.get + - compute.regionOperations.getIamPolicy + - compute.regionOperations.list + - compute.regionSslCertificates.get + - compute.regionSslCertificates.list + - compute.regionTargetHttpProxies.get + - compute.regionTargetHttpProxies.list + - compute.regionTargetHttpsProxies.get + - compute.regionTargetHttpsProxies.list + - compute.regionUrlMaps.get + - compute.regionUrlMaps.list + - compute.regionUrlMaps.validate + - compute.regions.get + - compute.regions.list + - compute.reservations.get + - compute.reservations.list + - compute.resourcePolicies.get + - compute.resourcePolicies.list + - compute.routers.get + - compute.routers.list + - compute.routes.get + - compute.routes.list + - compute.securityPolicies.get + - compute.securityPolicies.getIamPolicy + - compute.securityPolicies.list + - compute.serviceAttachments.get + - compute.serviceAttachments.list + - compute.snapshots.get + - compute.snapshots.getIamPolicy + - compute.snapshots.list + - compute.sslCertificates.get + - compute.sslCertificates.list + - compute.sslPolicies.get + - compute.sslPolicies.list + - compute.sslPolicies.listAvailableFeatures + - compute.subnetworks.get + - compute.subnetworks.getIamPolicy + - compute.subnetworks.list + - compute.targetGrpcProxies.get + - compute.targetGrpcProxies.list + - compute.targetHttpProxies.get + - compute.targetHttpProxies.list + - compute.targetHttpsProxies.get + - compute.targetHttpsProxies.list + - compute.targetInstances.get + - compute.targetInstances.list + - compute.targetPools.get + - compute.targetPools.list + - compute.targetSslProxies.get + - compute.targetSslProxies.list + - compute.targetTcpProxies.get + - compute.targetTcpProxies.list + - compute.targetVpnGateways.get + - compute.targetVpnGateways.list + - compute.urlMaps.get + - compute.urlMaps.list + - compute.urlMaps.validate + - compute.vpnGateways.get + - compute.vpnGateways.list + - compute.vpnTunnels.get + - compute.vpnTunnels.list + - compute.zoneOperations.get + - compute.zoneOperations.getIamPolicy + - compute.zoneOperations.list + - compute.zones.get + - compute.zones.list + - container.apiServices.get + - container.apiServices.getStatus + - container.apiServices.list + - container.auditSinks.get + - container.auditSinks.list + - container.backendConfigs.get + - container.backendConfigs.list + - container.bindings.get + - container.bindings.list + - container.certificateSigningRequests.get + - container.certificateSigningRequests.getStatus + - container.certificateSigningRequests.list + - container.clusterRoleBindings.get + - container.clusterRoleBindings.list + - container.clusterRoles.get + - container.clusterRoles.list + - container.clusters.get + - container.clusters.list + - container.componentStatuses.get + - container.componentStatuses.list + - container.configMaps.get + - container.configMaps.list + - container.controllerRevisions.get + - container.controllerRevisions.list + - container.cronJobs.get + - container.cronJobs.getStatus + - container.cronJobs.list + - container.csiDrivers.get + - container.csiDrivers.list + - container.csiNodeInfos.get + - container.csiNodeInfos.list + - container.csiNodes.get + - container.csiNodes.list + - container.customResourceDefinitions.get + - container.customResourceDefinitions.getStatus + - container.customResourceDefinitions.list + - container.daemonSets.get + - container.daemonSets.getStatus + - container.daemonSets.list + - container.deployments.get + - container.deployments.getStatus + - container.deployments.list + - container.endpointSlices.get + - container.endpointSlices.list + - container.endpoints.get + - container.endpoints.list + - container.events.get + - container.events.list + - container.frontendConfigs.get + - container.frontendConfigs.list + - container.horizontalPodAutoscalers.get + - container.horizontalPodAutoscalers.getStatus + - container.horizontalPodAutoscalers.list + - container.ingresses.get + - container.ingresses.getStatus + - container.ingresses.list + - container.initializerConfigurations.get + - container.initializerConfigurations.list + - container.jobs.get + - container.jobs.getStatus + - container.jobs.list + - container.leases.get + - container.leases.list + - container.limitRanges.get + - container.limitRanges.list + - container.managedCertificates.get + - container.managedCertificates.list + - container.mutatingWebhookConfigurations.get + - container.mutatingWebhookConfigurations.list + - container.namespaces.get + - container.namespaces.getStatus + - container.namespaces.list + - container.networkPolicies.get + - container.networkPolicies.list + - container.nodes.get + - container.nodes.getStatus + - container.nodes.list + - container.operations.get + - container.operations.list + - container.persistentVolumeClaims.get + - container.persistentVolumeClaims.getStatus + - container.persistentVolumeClaims.list + - container.persistentVolumes.get + - container.persistentVolumes.getStatus + - container.persistentVolumes.list + - container.petSets.get + - container.petSets.list + - container.podDisruptionBudgets.get + - container.podDisruptionBudgets.getStatus + - container.podDisruptionBudgets.list + - container.podPresets.get + - container.podPresets.list + - container.podSecurityPolicies.get + - container.podSecurityPolicies.list + - container.podTemplates.get + - container.podTemplates.list + - container.pods.get + - container.pods.getStatus + - container.pods.list + - container.priorityClasses.get + - container.priorityClasses.list + - container.replicaSets.get + - container.replicaSets.getScale + - container.replicaSets.getStatus + - container.replicaSets.list + - container.replicationControllers.get + - container.replicationControllers.getScale + - container.replicationControllers.getStatus + - container.replicationControllers.list + - container.resourceQuotas.get + - container.resourceQuotas.getStatus + - container.resourceQuotas.list + - container.roleBindings.get + - container.roleBindings.list + - container.roles.get + - container.roles.list + - container.runtimeClasses.get + - container.runtimeClasses.list + - container.scheduledJobs.get + - container.scheduledJobs.list + - container.serviceAccounts.get + - container.serviceAccounts.list + - container.services.get + - container.services.getStatus + - container.services.list + - container.statefulSets.get + - container.statefulSets.getStatus + - container.statefulSets.list + - container.storageClasses.get + - container.storageClasses.list + - container.storageStates.get + - container.storageStates.list + - container.storageVersionMigrations.get + - container.storageVersionMigrations.list + - container.thirdPartyObjects.get + - container.thirdPartyObjects.list + - container.thirdPartyResources.get + - container.thirdPartyResources.list + - container.tokenReviews.create + - container.updateInfos.get + - container.updateInfos.list + - container.validatingWebhookConfigurations.get + - container.validatingWebhookConfigurations.list + - container.volumeAttachments.get + - container.volumeAttachments.getStatus + - container.volumeAttachments.list + - container.volumeSnapshotClasses.get + - container.volumeSnapshotClasses.list + - container.volumeSnapshotContents.get + - container.volumeSnapshotContents.list + - container.volumeSnapshots.get + - container.volumeSnapshots.list + - logging.buckets.get + - logging.buckets.list + - logging.exclusions.get + - logging.exclusions.list + - logging.locations.get + - logging.locations.list + - logging.logEntries.list + - logging.logMetrics.get + - logging.logMetrics.list + - logging.logServiceIndexes.list + - logging.logServices.list + - logging.logs.list + - logging.queries.create + - logging.queries.delete + - logging.queries.get + - logging.queries.list + - logging.queries.update + - logging.sinks.get + - logging.sinks.list + - logging.usage.get + - logging.views.get + - logging.views.list + - monitoring.alertPolicies.get + - monitoring.alertPolicies.list + - monitoring.dashboards.get + - monitoring.dashboards.list + - monitoring.groups.get + - monitoring.groups.list + - monitoring.metricDescriptors.get + - monitoring.metricDescriptors.list + - monitoring.monitoredResourceDescriptors.get + - monitoring.monitoredResourceDescriptors.list + - monitoring.notificationChannelDescriptors.get + - monitoring.notificationChannelDescriptors.list + - monitoring.notificationChannels.get + - monitoring.notificationChannels.list + - monitoring.publicWidgets.get + - monitoring.publicWidgets.list + - monitoring.services.get + - monitoring.services.list + - monitoring.slos.get + - monitoring.slos.list + - monitoring.timeSeries.list + - monitoring.uptimeCheckConfigs.get + - monitoring.uptimeCheckConfigs.list + - resourcemanager.projects.get + - resourcemanager.projects.list + - serviceusage.quotas.get + - serviceusage.services.get + - serviceusage.services.list + - stackdriver.projects.get + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.list + - storage.objects.get + - storage.objects.list +name: prow.viewer +stage: GA +title: Prow Viewer diff --git a/infra/gcp/roles/secretmanager.secretLister.yaml b/infra/gcp/roles/secretmanager.secretLister.yaml new file mode 100644 index 00000000000..28c71cf75d5 --- /dev/null +++ b/infra/gcp/roles/secretmanager.secretLister.yaml @@ -0,0 +1,24 @@ +#### generated by generate-role-yaml.sh from the following spec: +# +# # allow principals with roles/secretmanager.admin on specific secrets +# # to manage those secrets via the GCP console +# title: Secret Manager Secret Lister +# description: Allows viewing and listing Secret Manager secret resources +# name: secretmanager.secretLister +# include: +# roles: +# - roles/secretmanager.viewer +# exclude: +# permissionRegexes: +# - ^secretmanager.(locations|versions) +# - getIamPolicy$ +# +description: Allows viewing and listing Secret Manager secret resources +includedPermissions: + - resourcemanager.projects.get + - resourcemanager.projects.list + - secretmanager.secrets.get + - secretmanager.secrets.list +name: secretmanager.secretLister +stage: GA +title: Secret Manager Secret Lister diff --git a/infra/gcp/roles/specs/CustomRole.yaml b/infra/gcp/roles/specs/CustomRole.yaml new file mode 100644 index 00000000000..950e682ce05 --- /dev/null +++ b/infra/gcp/roles/specs/CustomRole.yaml @@ -0,0 +1,30 @@ +# This was retroactively put together to match a role that is already in +# production. It's not entirely clear why it was built this way, for example +# why all of the permission exclusions from roles/billing.viewer +# +# TODO: CustomRole is a brittle name, we should migrate to a better named role +title: Billing Viewer +description: View access to billing info +name: CustomRole +include: + roles: + - roles/billing.viewer + - roles/browser + permissions: + # not sure what role this permission comes from + - billing.resourceCosts.get +exclude: + permissionRegexes: + # unclear why the exclusion of billing.account.* except getSpendingInformation + - ^billing.accounts.get$ + - ^billing.accounts.getPaymentInfo + - ^billing.accounts.getUsageExportSpec + - ^billing.accounts.list + # unclear if these were intentionally excluded + - ^consumerprocurement. + - ^dataprocessing. + - ^recommender. + # we may want to allow these two for org hierarchy navigation + - ^resourcemanager.folders. + - ^resourcemanager.organizations. + - getIamPolicy$ diff --git a/infra/gcp/roles/specs/StorageBucketLister.yaml b/infra/gcp/roles/specs/StorageBucketLister.yaml new file mode 100644 index 00000000000..8ccacda3314 --- /dev/null +++ b/infra/gcp/roles/specs/StorageBucketLister.yaml @@ -0,0 +1,16 @@ +# allow listing of buckets +# TODO(https://github.com/kubernetes/k8s.io/issues/1659): remove once auditor.viewer is used instead +title: Storage Bucket Lister +description: Can list storage buckets +name: StorageBucketLister +include: + roles: + - roles/storage.admin + permissionRegexes: + - ^storage.buckets. +exclude: + permissionRegexes: + - create$ + - update$ + - delete$ + - IamPolicy$ diff --git a/infra/gcp/roles/specs/audit.viewer.yaml b/infra/gcp/roles/specs/audit.viewer.yaml new file mode 100644 index 00000000000..e5954fd9208 --- /dev/null +++ b/infra/gcp/roles/specs/audit.viewer.yaml @@ -0,0 +1,26 @@ +# an aggregate of different service roles to allow auditing of all resources +# in the organization hierarchy using GCP console or gcloud commands +title: Audit Viewer +description: View access to resources +name: audit.viewer +include: + roles: + - roles/compute.viewer + - roles/dns.reader + - roles/iam.securityReviewer + - roles/resourcemanager.organizationViewer + - roles/serviceusage.serviceUsageConsumer + permissions: + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.list +exclude: + permissionRegexes: + # permissions with custom roles support level NOT_SUPPORTED + # ref: https://cloud.google.com/iam/docs/custom-roles-permissions-support + - ^cloudonefs. + - ^gcp.redisenterprise. + - ^datastore. + - ^domains.registrations. + - ^gkehub. + - ^servicemanagement.consumerSettings diff --git a/infra/gcp/roles/specs/organization.admin.yaml b/infra/gcp/roles/specs/organization.admin.yaml new file mode 100644 index 00000000000..42f76ecce96 --- /dev/null +++ b/infra/gcp/roles/specs/organization.admin.yaml @@ -0,0 +1,12 @@ +# permissions that are required beyond roles/owner to effectively manage +# our GCP organization, at least according to the role bindings that have +# been manually added to org admins thus far +title: Organization Admin +description: Access to administer all resources belonging to the organization +name: organization.admin +include: + roles: + - roles/billing.user + - roles/resourcemanager.folderAdmin + - roles/resourcemanager.organizationAdmin + - roles/resourcemanager.projectCreator diff --git a/infra/gcp/roles/specs/prow.viewer.yaml b/infra/gcp/roles/specs/prow.viewer.yaml new file mode 100644 index 00000000000..994aa24ae44 --- /dev/null +++ b/infra/gcp/roles/specs/prow.viewer.yaml @@ -0,0 +1,19 @@ +# a subset of convenience role roles/viewer to allow community members +# to view resources used by prow or jobs that lease e2e projects from boskos +# using GCP console or gcloud commands +title: Prow Viewer +description: View access to services for troubleshooting prow +name: prow.viewer +include: + roles: + - roles/compute.viewer + - roles/container.clusterViewer + - roles/container.viewer + - roles/logging.viewer + - roles/monitoring.viewer + permissions: + - storage.buckets.get + - storage.buckets.getIamPolicy + - storage.buckets.list + - storage.objects.get + - storage.objects.list diff --git a/infra/gcp/roles/specs/secretmanager.secretLister.yaml b/infra/gcp/roles/specs/secretmanager.secretLister.yaml new file mode 100644 index 00000000000..cda5563defa --- /dev/null +++ b/infra/gcp/roles/specs/secretmanager.secretLister.yaml @@ -0,0 +1,12 @@ +# allow principals with roles/secretmanager.admin on specific secrets +# to manage those secrets via the GCP console +title: Secret Manager Secret Lister +description: Allows viewing and listing Secret Manager secret resources +name: secretmanager.secretLister +include: + roles: + - roles/secretmanager.viewer +exclude: + permissionRegexes: + - ^secretmanager.(locations|versions) + - getIamPolicy$ diff --git a/hack/requirements.txt b/requirements.txt similarity index 60% rename from hack/requirements.txt rename to requirements.txt index aa7729dd944..207d53f6c8f 100644 --- a/hack/requirements.txt +++ b/requirements.txt @@ -1 +1,2 @@ yamllint==1.13.0 +yq==2.12.0