audit: update as of 2021-05-24#2074
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
the
size/L
k8s-ci-robot
added
size/S
cncf-ci
force-pushed
the
autoaudit-prow
branch
2 times, most recently
from
b6f6798 to
4edf7f1
Compare
k8s-ci-robot
added
size/M
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
7f21ea6 to
42d955d
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
64e50f5 to
76d9395
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
a113308 to
caa494f
Compare
|
/ok-to-test FWIW, I tried using GitHub's compare view to see if I could tell why exactly it was pushing, e.g. for
I used b62feb8...a113308 Some of the changes that shows were definitely not enacted within the last 16 hours. That still looks like the final commit to main. |
k8s-ci-robot
added
ok-to-test
| compute.googleapis.com Compute Engine API | ||
| containeranalysis.googleapis.com Container Analysis API | ||
| containerregistry.googleapis.com Container Registry API | ||
| containerscanning.googleapis.com Container Scanning API |
| compute.googleapis.com Compute Engine API | ||
| containeranalysis.googleapis.com Container Analysis API | ||
| containerregistry.googleapis.com Container Registry API | ||
| containerscanning.googleapis.com Container Scanning API |
| Bucket Policy Only setting for gs://k8s-infra-ii-sandbox-bb-test: | ||
| Enabled: False | ||
|
|
There was a problem hiding this comment.
@BobyMCbobs @hh @bernokl @Riaankl was this manually created?
| "etag": "\"15bb07da9956c0\"", | ||
| "etag": "\"15c2db0d2d7401\"", | ||
| "labels": { | ||
| "group": "sig-testing", |
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "group:k8s-infra-ii-coop@kubernetes.io", |
There was a problem hiding this comment.
Expected from #2078; give someone other that prow-oncall admin access to the secret, it's their secret to begin with. However, prow-oncall remains for break-glass purposes
There was a problem hiding this comment.
FYI as a followup @hh I'm manually deleting your user: binding; it's redundant since you're part of the above group.
Plus, just trying to prune user: bindings in general; if it's important enough for a person to have access, it's important enough for a group to have access and hold each other accountable.
$ gcloud secrets --project=k8s-infra-prow-build-trusted remove-iam-policy-binding cncf-ci-github-token --member=user:hh@ii.coop --role=roles/secretmanager.admin
Updated IAM policy for secret [cncf-ci-github-token].
bindings:
- members:
- group:k8s-infra-ii-coop@kubernetes.io
- group:k8s-infra-prow-oncall@kubernetes.io
role: roles/secretmanager.admin
etag: BwXDGOENV5g=
version: 1
| { | ||
| "createTime": "2021-05-21T18:03:26.516649Z", | ||
| "etag": "\"15c2dae05eb9a9\"", | ||
| "name": "projects/180382678033/secrets/cncf-ci-token", |
There was a problem hiding this comment.
Ah whoops, this was me running scripts from #2078 when they had a typo in them.
Manually deleting:
$ gcloud secrets delete --project=k8s-infra-prow-build-trusted cncf-ci-token
Deleted secret [cncf-ci-token]
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "group:k8s-infra-prow-oncall@kubernetes.io" |
There was a problem hiding this comment.
This is now out of date per #2078 (comment), will expect a followup audit PR to change this to include the group introduced in #2085
| { | ||
| "createTime": "2021-02-11T04:21:30.200768Z", | ||
| "etag": "\"15bb07da9956c0\"", | ||
| "etag": "\"15c2db0d2d7401\"", |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
3 participants
Audit Updates wg-k8s-infra