diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index c0899a5672f..700077cb3d1 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -20,6 +20,11 @@ set -o pipefail CNCF_GCP_ORG=758905017065 +function format_gcloud_json() { + # recursively delete any fields named "etag" + jq 'delpaths([path(..|.etag?|select(.))])' +} + echo "# Removing existing audit files" rm -rf org_kubernetes.io rm -rf projects @@ -34,14 +39,12 @@ gcloud \ ROLE=$(basename "${ROLE_PATH}") gcloud iam roles describe "${ROLE}" \ --organization="${CNCF_GCP_ORG}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "org_kubernetes.io/roles/${ROLE}.json" done gcloud \ organizations get-iam-policy "${CNCF_GCP_ORG}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "org_kubernetes.io/iam.json" echo "## Iterating over Projects" @@ -55,16 +58,16 @@ gcloud \ echo "### Auditing Project ${PROJECT}" mkdir -p "projects/${PROJECT}" + gcloud \ projects describe "${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/description.json" echo "#### ${PROJECT} IAM" gcloud \ projects get-iam-policy "${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/iam.json" echo "#### ${PROJECT} ServiceAccounts" @@ -77,14 +80,12 @@ gcloud \ gcloud \ iam service-accounts describe "${SVCACCT}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/service-accounts/${SVCACCT}/description.json" gcloud \ iam service-accounts get-iam-policy "${SVCACCT}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/service-accounts/${SVCACCT}/iam.json" done @@ -99,8 +100,7 @@ gcloud \ gcloud \ iam roles describe "${ROLE}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/roles/${ROLE}.json" done @@ -116,22 +116,32 @@ gcloud \ --format="value(config.name)" \ | sed 's/.googleapis.com//' \ | while read -r SVC; do + echo "##### projects/${PROJECT}/services/${SVC}" case "${SVC}" in bigquery) mkdir -p "projects/${PROJECT}/services/${SVC}" bq \ - --format=prettyjson --project_id=$PROJECT ls + ls \ + --project_id="${PROJECT}" \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" # Only run if there are any datasets if [ -s "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" ] then bq \ - --project_id="{$PROJECT}" --format=json ls \ + ls \ + --project_id="${PROJECT}" \ + --format=json | format_gcloud_json \ | jq -r '.[] | .datasetReference["datasetId"]' \ | while read -r DATASET; do bq \ - --project_id="${PROJECT}" --format=json show "${PROJECT}:${DATASET}" \ - | jq .access > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json" + show \ + --project_id="${PROJECT}" \ + --format=json \ + "${PROJECT}:${DATASET}" \ + | format_gcloud_json \ + | jq .access \ + > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json" done fi ;; @@ -140,7 +150,7 @@ gcloud \ gcloud \ compute project-info describe \ --project="${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ | jq 'del(.quotas[].usage, .commonInstanceMetadata.fingerprint)' \ > "projects/${PROJECT}/services/${SVC}/project-info.json" ;; @@ -157,11 +167,11 @@ gcloud \ mkdir -p "projects/${PROJECT}/services/${SVC}" gcloud \ dns project-info describe "${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/info.json" gcloud \ dns managed-zones list \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/zones.json" ;; logging) @@ -187,7 +197,7 @@ gcloud \ gcloud \ secrets describe "${SECRET}" \ --project="${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "${path}/description.json" gcloud \ secrets versions list "${SECRET}" \ @@ -197,8 +207,7 @@ gcloud \ gcloud \ secrets get-iam-policy "${SECRET}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "${path}/iam.json" done ;; @@ -214,12 +223,12 @@ gcloud \ gsutil logging get "gs://${BUCKET}/" \ > "projects/${PROJECT}/buckets/${BUCKET}/logging.txt" gsutil iam get "gs://${BUCKET}/" \ - | jq 'del(.etag)' \ + | format_gcloud_json \ > "projects/${PROJECT}/buckets/${BUCKET}/iam.json" done ;; *) - echo "##### Unhandled Service ${SVC}" + echo "WARN: Unaudited service enabled in project ${PROJECT}: ${SVC}" # (these were all enabled for kubernetes-public) # TODO: handle (or ignore) bigquerystorage # TODO: handle (or ignore) clouderrorreporting @@ -239,7 +248,3 @@ gcloud \ esac done done - - -# TODO: -# Dump iam for Big Query diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json new file mode 100644 index 00000000000..b8948e75a19 --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "justinsb@google.com" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json new file mode 100644 index 00000000000..3381307a2ad --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json @@ -0,0 +1,14 @@ +[ + { + "role": "WRITER", + "userByEmail": "p388270116193-330742@gcp-sa-logging.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "userByEmail": "justinsb@google.com" + } +] diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json index e69de29bb2d..e07449c20d2 100644 --- a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json @@ -0,0 +1,20 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-artifacts-prod:gcs_logs", + "datasetReference": { + "datasetId": "gcs_logs", + "projectId": "k8s-artifacts-prod" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-artifacts-prod:http_lb_logs", + "datasetReference": { + "datasetId": "http_lb_logs", + "projectId": "k8s-artifacts-prod" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json b/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json index d463c6d31c9..636bea2f32c 100644 --- a/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-04-08T20:32:11.215176Z", - "etag": "\"15bf7bf125b148\"", "name": "projects/228988630781/secrets/service-cri-o-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json b/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json index 31ba1c3dc4c..dac88b8cc6e 100644 --- a/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-04-08T20:43:10.411934Z", - "etag": "\"15bf7c18703c9e\"", "name": "projects/228988630781/secrets/service-huaweicloud-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-inspur-key/description.json b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json index 940f2574725..343e01a5b94 100644 --- a/audit/projects/k8s-conform/secrets/service-inspur-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-23T06:37:04.961097Z", - "etag": "\"15bbfb25906e49\"", "name": "projects/228988630781/secrets/service-inspur-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json index 9f9a32fc544..fa19d6025c3 100644 --- a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-15T15:18:08.840992Z", - "etag": "\"15bb617e4e6120\"", "name": "projects/228988630781/secrets/service-provider-openstack-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json b/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json index e49386a95e6..6d54fb4f53c 100644 --- a/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-09-23T21:18:11.941957Z", - "etag": "\"15b3ed7a94947b\"", "name": "projects/228988630781/secrets/service-s390x-k8s-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json b/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json index 81d58f703f6..67d029e2a2a 100644 --- a/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json +++ b/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-04-30T04:24:22.976608Z", - "etag": "\"15b3ed7c79f8c0\"", "name": "projects/91610859379/secrets/gsuite-groups-manager_key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json b/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json index 4c0fc2c4e8e..51ca1cc1026 100644 --- a/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json +++ b/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-11T16:52:59.141275Z", - "etag": "\"15b3ed7b29f480\"", "name": "projects/91610859379/secrets/wg-k8s-infra-billing_pw", "replication": { "automatic": {} diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json new file mode 100644 index 00000000000..1b9fe6a2bc6 --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "hh@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json index e69de29bb2d..6df47d2665a 100644 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json @@ -0,0 +1,41 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:hh", + "datasetReference": { + "datasetId": "hh", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:k8s_artifacts_dataset_bb_test", + "datasetReference": { + "datasetId": "k8s_artifacts_dataset_bb_test", + "projectId": "k8s-infra-ii-sandbox" + }, + "labels": { + "managed-by-cnrm": "true" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:k8s_artifacts_gcslogs_appspot", + "datasetReference": { + "datasetId": "k8s_artifacts_gcslogs_appspot", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:kubernetes_public_logs", + "datasetReference": { + "datasetId": "kubernetes_public_logs", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json new file mode 100644 index 00000000000..4a76db5b89d --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "bb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json new file mode 100644 index 00000000000..4a76db5b89d --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "bb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json new file mode 100644 index 00000000000..e1dcaceb7dd --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "caleb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json index 4bd9a686196..fce79ae9d2e 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-11T04:21:30.200768Z", - "etag": "\"15c2db0d2d7401\"", "labels": { "group": "sig-testing", "sig": "testing" diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json index a6d9eb99416..6ef0987b98f 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json @@ -3,8 +3,7 @@ { "members": [ "group:k8s-infra-ii-coop@kubernetes.io", - "group:k8s-infra-prow-oncall@kubernetes.io", - "user:hh@ii.coop" + "group:k8s-infra-prow-oncall@kubernetes.io" ], "role": "roles/secretmanager.admin" } diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json deleted file mode 100644 index c40b6dc117b..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "createTime": "2021-05-21T18:03:26.516649Z", - "etag": "\"15c2dae05eb9a9\"", - "name": "projects/180382678033/secrets/cncf-ci-token", - "replication": { - "automatic": {} - } -} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json deleted file mode 100644 index 0967ef424bc..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json deleted file mode 100644 index fe51488c706..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json index a9a572f02cc..028e566cbcd 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-05-21T18:04:38.236182Z", - "etag": "\"15c2db0d6c4886\"", "labels": { "group": "sig-architecture" }, diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json index 85477e58417..154b9a61232 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json @@ -2,6 +2,7 @@ "bindings": [ { "members": [ + "group:k8s-infra-code-organization@kubernetes.io", "group:k8s-infra-prow-oncall@kubernetes.io" ], "role": "roles/secretmanager.admin" diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json index e69de29bb2d..23ddd91c5d6 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json @@ -0,0 +1,11 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-prow-build-trusted:usage_metering_prow_build_trusted", + "datasetReference": { + "datasetId": "usage_metering_prow_build_trusted", + "projectId": "k8s-infra-prow-build-trusted" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json new file mode 100644 index 00000000000..fbd66ae2d0c --- /dev/null +++ b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-prow-build-trusted@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +] diff --git a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json index e69de29bb2d..1c6b9fa37c6 100644 --- a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json @@ -0,0 +1,11 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-prow-build:usage_metering_prow_build", + "datasetReference": { + "datasetId": "usage_metering_prow_build", + "projectId": "k8s-infra-prow-build" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json new file mode 100644 index 00000000000..c33ac430cbd --- /dev/null +++ b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-prow-build@k8s-infra-prow-build.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +] diff --git a/audit/projects/kubernetes-public/secrets/recaptcha/description.json b/audit/projects/kubernetes-public/secrets/recaptcha/description.json index d5ac93728c6..3eda72ef1d5 100644 --- a/audit/projects/kubernetes-public/secrets/recaptcha/description.json +++ b/audit/projects/kubernetes-public/secrets/recaptcha/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:25.639524Z", - "etag": "\"15c2daf9f9cb32\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json b/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json index 2dc9198f9bb..9c4c762582e 100644 --- a/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:22.230224Z", - "etag": "\"15c2dafa2a19c5\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json b/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json index ccdbd8c08be..ffb9b423fbb 100644 --- a/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:18.073437Z", - "etag": "\"15c2dafa5c50da\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json index 164d7cc3ca8..8dde2ce9142 100644 --- a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-23T23:53:36.776896Z", - "etag": "\"15c2dafa97e06b\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json b/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json index e69dd8d872a..5ca3edc1fcf 100644 --- a/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:14.323185Z", - "etag": "\"15c2dafac631cd\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slackin-token/description.json b/audit/projects/kubernetes-public/secrets/slackin-token/description.json index 8522dc4c295..fef554fba36 100644 --- a/audit/projects/kubernetes-public/secrets/slackin-token/description.json +++ b/audit/projects/kubernetes-public/secrets/slackin-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:30.811539Z", - "etag": "\"15c2dafaf6a3b1\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json index 69f88c7ae69..45da78b3608 100644 --- a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json +++ b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-06-25T19:14:21.868654Z", - "etag": "\"15c2dafb274b21\"", "labels": { "app": "triageparty-release", "group": "sig-release" diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json index e69de29bb2d..7ad8455389d 100644 --- a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json @@ -0,0 +1,20 @@ +[ + { + "kind": "bigquery#dataset", + "id": "kubernetes-public:kubernetes_public_billing", + "datasetReference": { + "datasetId": "kubernetes_public_billing", + "projectId": "kubernetes-public" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "kubernetes-public:usage_metering_aaa", + "datasetReference": { + "datasetId": "usage_metering_aaa", + "projectId": "kubernetes-public" + }, + "location": "US" + } +] diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json new file mode 100644 index 00000000000..bde4ccc3a96 --- /dev/null +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json @@ -0,0 +1,34 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "billing-export-bigquery@system.gserviceaccount.com" + }, + { + "role": "OWNER", + "userByEmail": "ihor@cncf.io" + }, + { + "role": "READER", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + }, + { + "role": "roles/bigquery.metadataViewer", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + }, + { + "role": "roles/bigquery.user", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + } +] diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json new file mode 100644 index 00000000000..1dfdc4ca8ad --- /dev/null +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-aaa@kubernetes-public.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +]