audit: update as of 2021-03-30#1800
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
wg/k8s-infra
size/L
k8s-ci-robot
added
size/S
k8s-ci-robot
added
size/M
spiffxp
left a comment
spiffxp
left a comment
There was a problem hiding this comment.
One expected change, one unexpected
| "serviceAccount:service-cri-o@k8s-conform.iam.gserviceaccount.com" | ||
| ], | ||
| "role": "roles/storage.objectCreator" | ||
| "role": "roles/storage.objectAdmin" |
There was a problem hiding this comment.
???
did someone make this change manually?
There was a problem hiding this comment.
weird! (not me!)
cc @saschagrunert @mrunalp any clues?
There was a problem hiding this comment.
Aww, yes I changed it manually. Big sorry for that, our token needs access to write a version marker to the bucket. :-/ We need to change that file for each commit. Can we request an additional bucket where we're able to edit/change files?
There was a problem hiding this comment.
Can I ask what the version marker is for? These buckets should just be result dumps, just trying to understand the use case here.
OTOH since we're giving humans admin access I can't think why we wouldn't give their serviceaccount the same level of acess. I would be open to a PR that makes this the default for all k8s-conform buckets, WDYT @BenTheElder ?
There was a problem hiding this comment.
/cc @BenTheElder
to put the above question on your radar
There was a problem hiding this comment.
Can I ask what the version marker is for? These buckets should just be result dumps, just trying to understand the use case here.
Yes sure, the main intention was to use this marker for being independent from the GitHub API. We publish a binary artifact for every successful run on the CRI-O master branch and update the version marker after that. This way we can easily query the latest build without having to use the rate limited GitHub Actions API. It's more or less the same like we do it in k8s.
There was a problem hiding this comment.
FYI I mistakenly deleted this account when trying to delete the capi-openstack serviceaccount below. I believe I restored it, but let me know if you see problems on your end @saschagrunert
$ gcloud iam service-accounts delete service-cri-o@k8s-conform.iam.gserviceaccount.com
deleted service account [service-cri-o@k8s-conform.iam.gserviceaccount.com]
$ gcloud beta iam service-accounts undelete 118310596454734433596
restoredAccount:
email: service-cri-o@k8s-conform.iam.gserviceaccount.com
etag: MDEwMjE5MjA=
name: projects/k8s-conform/serviceAccounts/service-cri-o@k8s-conform.iam.gserviceaccount.com
oauth2ClientId: REDACTED
projectId: k8s-conform
uniqueId: '118310596454734433596'
| "deploymentmanager.typeProviders.list", | ||
| "deploymentmanager.types.list", | ||
| "dialogflow.agents.list", | ||
| "dialogflow.answerrecords.list", |
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
e21ce65 to
669d0b3
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
01767b4 to
66916db
Compare
k8s-ci-robot
removed
the
size/M
|
Should we try and filter out ssh keys from: */services/compute/project-info.json It seems a common pattern that occurs that we aren't closely reviewing. |
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
bcfcd0d to
da998a6
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
ae32c1c to
2e6365f
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
95e9a42 to
06a79dc
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
caa3baa to
c1935b9
Compare
No we should fix the cause of them continually being updated. Then we should clean/reset them to known keys. We very much want to notice if a random key pops up. There is an issue for this that I've linked to from multiple previous audit PRs, don't have it handy now though |
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
0aa5a69 to
1d42984
Compare
cncf-ci
changed the title
spiffxp
left a comment
spiffxp
left a comment
There was a problem hiding this comment.
/approve
/lgtm
/hold cancel
kubernetes-sigs/kubetest2#117 has landed which should hopefully mean no new random ssh keys being added. So I'm merging this to see if that proves true.
I've dropped comments / opened up followup issues for anything else in here that needs resolving.
If it does, I'll PR up something to either one-time nuke the e2e project ssh-keys, or reset the ssh-keys to what we expect every time ensure-e2e-projects.sh is run
| "group:k8s-infra-prow-oncall@kubernetes.io", | ||
| "user:spiffxp@google.com" |
There was a problem hiding this comment.
I have a pending PR that modifies ensure_project to automatically remove user:* bindings for roles/owner, this was me testing it
| @@ -1,6 +1,5 @@ | |||
| NAME TITLE | |||
| bigquery.googleapis.com BigQuery API | |||
| bigquery.googleapis.com BigQuery API | |||
There was a problem hiding this comment.
Not sure why we had a dupe entry here to begin with, not sure what caused it to get removed
| "serviceAccount:service-cri-o@k8s-conform.iam.gserviceaccount.com" | ||
| ], | ||
| "role": "roles/storage.objectCreator" | ||
| "role": "roles/storage.objectAdmin" |
| { | ||
| "displayName": "service-capi-openstack", | ||
| "email": "service-capi-openstack@k8s-conform.iam.gserviceaccount.com", | ||
| "name": "projects/k8s-conform/serviceAccounts/service-capi-openstack@k8s-conform.iam.gserviceaccount.com", | ||
| "oauth2ClientId": "115191210752954465501", | ||
| "projectId": "k8s-conform", | ||
| "uniqueId": "115191210752954465501" | ||
| } |
There was a problem hiding this comment.
I think this should be manually deleted per #1807
There was a problem hiding this comment.
$ gcloud iam service-accounts delete service-capi-openstack@k8s-conform.iam.gserviceaccount.com
deleted service account [service-capi-openstack@k8s-conform.iam.gserviceaccount.com]
| @@ -0,0 +1 @@ | |||
| {} | |||
There was a problem hiding this comment.
I think this should be manually deleted per #1807
| "createTime": "2021-03-24T18:14:58.836Z", | ||
| "lifecycleState": "ACTIVE", | ||
| "name": "k8s-staging-kubetest2", |
There was a problem hiding this comment.
All files under projects/k8s-staging-kubetest2 are expected, a result of #1819 merging
| @@ -4,7 +4,13 @@ | |||
| "members": [ | |||
| "group:k8s-infra-cluster-admins@kubernetes.io" | |||
| ], | |||
| "role": "projects/kubernetes-public/roles/ServiceAccountLister" | |||
| "role": "organizations/758905017065/roles/iam.serviceAccountLister" | |||
| "members": [ | ||
| "group:k8s-infra-rbac-slack-infra@kubernetes.io" | ||
| ], | ||
| "role": "organizations/758905017065/roles/secretmanager.secretLister" |
There was a problem hiding this comment.
This was me manually trialing #1731 (comment) to help land #1696
It did not solve the problem, so I'll manually remove this binding
There was a problem hiding this comment.
$ gcloud projects remove-iam-policy-binding kubernetes-public --member="group:k8s-infra-rbac-slack-infra@kubernetes.io" --role="organizations/758905017065/roles/secretmanager.secretLister"
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
6 participants
Audit Updates wg-k8s-infra