audit: update as of 2021-05-05

[cncf-ci]

Audit Updates wg-k8s-infra

[k8s-ci-robot]

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

/approve
/lgtm
/ok-to-test
This is basically confirmation of all the things done by #1974, and the addition of a k8s-staging-test-infra project

[spiffxp]

Expected, this was #1966 being deployed

[spiffxp]

This account's existence and its bindings are expected, a result of #1998 being deployed

First part of #1730

[spiffxp]

Yeah this popped back up. #1963 is the followup issue to remove this from our code

[spiffxp]

Expected (though surprising at the time it happened) this is the last part of #1737 being deployed

This happened while deploying #1952 (comment), so apparently I forget to run terraform apply for the appropriate clusters after merging #1737

[spiffxp]

This is a weird way of diffing it, but same expected change as above (this time for k8s-infra-prow-build instead of k8s-infra-prow-build-trusted)

[spiffxp]

These are expected, this is #1974 being deployed, specifically the part that's dropping projectEditor bindings

[spiffxp]

This is the result of running terraform apply for clusters/projects/kubernetes-public/aaa using the last commit of #1974. There was an authoritative google_iam_policy terraform resource that kept overwriting other non-authoritative add-iam-policy-binding equivalents in terraform or bash.

I opted to move the project level bindings for accounts/groups not managed by terraform over to ensure-main-project.sh, and re-ran terraform apply... these are all of the bindings that should be present

[spiffxp]

Also expected from #1974

It's redundant, given a binding to custom org role audit.viewer at the org level, but ensure-main-project.sh as written needs to give the service account some kind of role at the project level, and it seemed best to avoid tangling with the org for bootstrapping purposes

[spiffxp]

Expected from #1974

The displayName seemed mostly unused, so to reduce the number of parameters to pass during provisioning, I opted to make it the same as name (the part before the @ in the service accounts e-mail address). More easily searchable within our source code.

[spiffxp]

Expected from #1974

This should have been removed ages ago, this was over a year ago when I was testing out a prow build cluster in the kubernetes-public project, and had noodled on getting k8s-infra-gcp-auditor sufficient privileges to run the audit scripts.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment