audit: update as of 2021-05-19#2011
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
abe7fc9 to
c1124f0
Compare
|
@spiffxp Any reason why the audit logs for the Boskos projects are deleted ? (just curious). |
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
9b59233 to
befdc19
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
f6dbe60 to
64e31b3
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
7266cb5 to
e6c3e52
Compare
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
ccb1ac9 to
8029c36
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
00b13a8 to
292a300
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
0b6da0e to
8dab371
Compare
cncf-ci
changed the title
|
Uhhhh, well everything in audit/ getting deleted is certainly disconcerting. I'm going to assume the projects are all still present or we'd have heard a lot more complaints by now. Seems like the first commit for this PR deleted everything. I'm going to guess #2010 is the culprit, specifically 9ebc221. What bindings does the group have that the service account does not? |
cncf-ci
force-pushed
the
autoaudit-prow
branch
2 times, most recently
from
7bfee0f to
8d7408a
Compare
|
/assign |
cncf-ci
changed the title
| { | ||
| "createTime": "2021-05-12T09:38:46.426Z", | ||
| "lifecycleState": "ACTIVE", | ||
| "name": "k8s-infra-public-pii", |
| bigquery.googleapis.com BigQuery API | ||
| bigquerystorage.googleapis.com BigQuery Storage API | ||
| logging.googleapis.com Cloud Logging API | ||
| storage-component.googleapis.com Cloud Storage |
| @@ -0,0 +1,11 @@ | |||
| { | |||
| "bindings": [ | |||
spiffxp
left a comment
spiffxp
left a comment
There was a problem hiding this comment.
/approve
/lgtm
Merging to keep us current. I have some outstanding questions but nothing I feel compelled to block on.
Regard my reviews of k8s-infra-ii-sandbox: it's your playground, and if you'd rather move fast and iterate manually that's cool. I thought I'd review as if you were planning to actively use terraform to manage your project.
| { | ||
| "members": [ | ||
| "group:k8s-infra-gcp-auditors@kubernetes.io" | ||
| ], | ||
| "role": "roles/secretmanager.viewer" | ||
| }, |
| "secretmanager.locations.get", | ||
| "secretmanager.locations.list", | ||
| "secretmanager.secrets.get", | ||
| "secretmanager.secrets.getIamPolicy", | ||
| "secretmanager.secrets.list", | ||
| "secretmanager.versions.get", |
There was a problem hiding this comment.
Expected. This was #2058, specifically 268c44d
Missing these permissions is what was breaking the audit job: #2055 (comment)
| @@ -1,5 +1,6 @@ | |||
| { | |||
| "createTime": "2021-04-08T20:32:11.215176Z", | |||
| "etag": "\"15bf7bf125b148\"", | |||
There was a problem hiding this comment.
This is new... we should make sure the audit script is deleting these
Opened #2062
| Bucket Policy Only setting for gs://export-c2e4nmc5jmg9n5nacc60: | ||
| Enabled: False | ||
|
|
There was a problem hiding this comment.
What created this bucket? @BobyMCbobs @bernokl @hh
| Bucket Policy Only setting for gs://ii_bq_scratch_dump: | ||
| Enabled: True | ||
| LockedTime: 2021-08-09 23:05:03.678000+00:00 | ||
|
|
There was a problem hiding this comment.
What created this bucket? @BobyMCbobs @bernokl @hh
| bigqueryconnection.googleapis.com BigQuery Connection API | ||
| bigquerydatatransfer.googleapis.com BigQuery Data Transfer API | ||
| bigqueryreservation.googleapis.com BigQuery Reservation API |
There was a problem hiding this comment.
What enabled these services? @BobyMCbobs @bernokl @hh
| { | ||
| "createTime": "2021-05-12T09:38:46.426Z", | ||
| "lifecycleState": "ACTIVE", | ||
| "name": "k8s-infra-public-pii", | ||
| "parent": { | ||
| "id": "758905017065", | ||
| "type": "organization" | ||
| }, | ||
| "projectId": "k8s-infra-public-pii", | ||
| "projectNumber": "226195303281" | ||
| } |
| "members": [ | ||
| "group:k8s-infra-staging-cluster-api-gcp@kubernetes.io" | ||
| "group:k8s-infra-staging-cluster-api-gcp@kubernetes.io", | ||
| "serviceAccount:gcb-builder-cluster-api-gcp@k8s-staging-cluster-api-gcp.iam.gserviceaccount.com" |
| { | ||
| "members": [ | ||
| "serviceAccount:service-606075400249@compute-system.iam.gserviceaccount.com" | ||
| ], | ||
| "role": "roles/compute.serviceAgent" | ||
| }, |
| containerregistry.googleapis.com Container Registry API | ||
| containerscanning.googleapis.com Container Scanning API | ||
| logging.googleapis.com Cloud Logging API | ||
| oslogin.googleapis.com Cloud OS Login API |
There was a problem hiding this comment.
Compute depends on this, so this gets enabled
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
4 participants
Audit Updates wg-k8s-infra