From 7a829d501fa232280a2f93610584b1bef2f81ccb Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Mon, 24 May 2021 15:00:12 -0400 Subject: [PATCH 1/4] audit: fix bq access dump --- audit/audit-gcp.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index c0899a5672f..f6c4fca04ab 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -126,7 +126,7 @@ gcloud \ if [ -s "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" ] then bq \ - --project_id="{$PROJECT}" --format=json ls \ + --project_id="${PROJECT}" --format=json ls \ | jq -r '.[] | .datasetReference["datasetId"]' \ | while read -r DATASET; do bq \ From 3036369a0eaed2e7273450cbfe07aca659c27a9d Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Mon, 24 May 2021 14:35:47 -0400 Subject: [PATCH 2/4] audit: strip etags from all json Do this by add a format_gcloud_json function, and passing all gcloud (or bq, gsutil) output through it. Format calls so the argument to use json output and the pass through the function are on the same line to make it clear this should be used everywhere json output is used. NOTE: in reformatting the `bq` calls to make this change, I switched away from prettyjson format, since jq will do the prettifying for us. However, this means that keys will be stored in a slightly different order than before. --- audit/audit-gcp.sh | 60 ++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index f6c4fca04ab..818f79bcae1 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -20,6 +20,11 @@ set -o pipefail CNCF_GCP_ORG=758905017065 +function format_gcloud_json() { + # recursively delete any fields named "etag" + jq 'delpaths([path(..|.etag?|select(.))])' +} + echo "# Removing existing audit files" rm -rf org_kubernetes.io rm -rf projects @@ -34,14 +39,12 @@ gcloud \ ROLE=$(basename "${ROLE_PATH}") gcloud iam roles describe "${ROLE}" \ --organization="${CNCF_GCP_ORG}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "org_kubernetes.io/roles/${ROLE}.json" done gcloud \ organizations get-iam-policy "${CNCF_GCP_ORG}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "org_kubernetes.io/iam.json" echo "## Iterating over Projects" @@ -55,16 +58,16 @@ gcloud \ echo "### Auditing Project ${PROJECT}" mkdir -p "projects/${PROJECT}" + gcloud \ projects describe "${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/description.json" echo "#### ${PROJECT} IAM" gcloud \ projects get-iam-policy "${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/iam.json" echo "#### ${PROJECT} ServiceAccounts" @@ -77,14 +80,12 @@ gcloud \ gcloud \ iam service-accounts describe "${SVCACCT}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/service-accounts/${SVCACCT}/description.json" gcloud \ iam service-accounts get-iam-policy "${SVCACCT}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/service-accounts/${SVCACCT}/iam.json" done @@ -99,8 +100,7 @@ gcloud \ gcloud \ iam roles describe "${ROLE}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/roles/${ROLE}.json" done @@ -120,18 +120,27 @@ gcloud \ bigquery) mkdir -p "projects/${PROJECT}/services/${SVC}" bq \ - --format=prettyjson --project_id=$PROJECT ls + ls \ + --project_id="${PROJECT}" \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" # Only run if there are any datasets if [ -s "projects/${PROJECT}/services/${SVC}/bigquery.datasets.json" ] then bq \ - --project_id="${PROJECT}" --format=json ls \ + ls \ + --project_id="${PROJECT}" \ + --format=json | format_gcloud_json \ | jq -r '.[] | .datasetReference["datasetId"]' \ | while read -r DATASET; do bq \ - --project_id="${PROJECT}" --format=json show "${PROJECT}:${DATASET}" \ - | jq .access > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json" + show \ + --project_id="${PROJECT}" \ + --format=json \ + "${PROJECT}:${DATASET}" \ + | format_gcloud_json \ + | jq .access \ + > "projects/${PROJECT}/services/${SVC}/bigquery.datasets.${DATASET}.access.json" done fi ;; @@ -140,7 +149,7 @@ gcloud \ gcloud \ compute project-info describe \ --project="${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ | jq 'del(.quotas[].usage, .commonInstanceMetadata.fingerprint)' \ > "projects/${PROJECT}/services/${SVC}/project-info.json" ;; @@ -157,11 +166,11 @@ gcloud \ mkdir -p "projects/${PROJECT}/services/${SVC}" gcloud \ dns project-info describe "${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/info.json" gcloud \ dns managed-zones list \ - --format=json \ + --format=json | format_gcloud_json \ > "projects/${PROJECT}/services/${SVC}/zones.json" ;; logging) @@ -187,7 +196,7 @@ gcloud \ gcloud \ secrets describe "${SECRET}" \ --project="${PROJECT}" \ - --format=json \ + --format=json | format_gcloud_json \ > "${path}/description.json" gcloud \ secrets versions list "${SECRET}" \ @@ -197,8 +206,7 @@ gcloud \ gcloud \ secrets get-iam-policy "${SECRET}" \ --project="${PROJECT}" \ - --format=json \ - | jq 'del(.etag)' \ + --format=json | format_gcloud_json \ > "${path}/iam.json" done ;; @@ -214,7 +222,7 @@ gcloud \ gsutil logging get "gs://${BUCKET}/" \ > "projects/${PROJECT}/buckets/${BUCKET}/logging.txt" gsutil iam get "gs://${BUCKET}/" \ - | jq 'del(.etag)' \ + | format_gcloud_json \ > "projects/${PROJECT}/buckets/${BUCKET}/iam.json" done ;; @@ -239,7 +247,3 @@ gcloud \ esac done done - - -# TODO: -# Dump iam for Big Query From 4eb4d1a55c56bc117a59fd737396a62c6e831efa Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Mon, 24 May 2021 15:34:34 -0400 Subject: [PATCH 3/4] audit: update logging slightly --- audit/audit-gcp.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index 818f79bcae1..700077cb3d1 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -116,6 +116,7 @@ gcloud \ --format="value(config.name)" \ | sed 's/.googleapis.com//' \ | while read -r SVC; do + echo "##### projects/${PROJECT}/services/${SVC}" case "${SVC}" in bigquery) mkdir -p "projects/${PROJECT}/services/${SVC}" @@ -227,7 +228,7 @@ gcloud \ done ;; *) - echo "##### Unhandled Service ${SVC}" + echo "WARN: Unaudited service enabled in project ${PROJECT}: ${SVC}" # (these were all enabled for kubernetes-public) # TODO: handle (or ignore) bigquerystorage # TODO: handle (or ignore) clouderrorreporting From 0e2e3d3a933d33ec47cd121dca11f53e6719d5d9 Mon Sep 17 00:00:00 2001 From: Aaron Crickenberger Date: Mon, 24 May 2021 16:38:34 -0400 Subject: [PATCH 4/4] audit: results of manually running audit-gcp.sh --- .../bigquery.datasets.gcs_logs.access.json | 18 ++++++++ ...bigquery.datasets.http_lb_logs.access.json | 14 +++++++ .../services/bigquery/bigquery.datasets.json | 20 +++++++++ .../service-cri-o-key/description.json | 1 - .../service-huaweicloud-key/description.json | 1 - .../service-inspur-key/description.json | 1 - .../description.json | 1 - .../service-s390x-k8s-key/description.json | 1 - .../description.json | 1 - .../wg-k8s-infra-billing_pw/description.json | 1 - .../bigquery/bigquery.datasets.hh.access.json | 18 ++++++++ .../services/bigquery/bigquery.datasets.json | 41 +++++++++++++++++++ ....k8s_artifacts_dataset_bb_test.access.json | 18 ++++++++ ....k8s_artifacts_gcslogs_appspot.access.json | 18 ++++++++ ...atasets.kubernetes_public_logs.access.json | 18 ++++++++ .../cncf-ci-github-token/description.json | 1 - .../secrets/cncf-ci-github-token/iam.json | 3 +- .../secrets/cncf-ci-token/description.json | 8 ---- .../secrets/cncf-ci-token/iam.json | 1 - .../secrets/cncf-ci-token/versions.json | 1 - .../secrets/snyk-token/description.json | 1 - .../secrets/snyk-token/iam.json | 1 + .../services/bigquery/bigquery.datasets.json | 11 +++++ ...ge_metering_prow_build_trusted.access.json | 10 +++++ .../services/bigquery/bigquery.datasets.json | 11 +++++ ...sets.usage_metering_prow_build.access.json | 10 +++++ .../secrets/recaptcha/description.json | 1 - .../slack-event-log-config/description.json | 1 - .../slack-moderator-config/description.json | 1 - .../description.json | 1 - .../slack-welcomer-config/description.json | 1 - .../secrets/slackin-token/description.json | 1 - .../description.json | 1 - .../services/bigquery/bigquery.datasets.json | 20 +++++++++ ...sets.kubernetes_public_billing.access.json | 34 +++++++++++++++ ...ry.datasets.usage_metering_aaa.access.json | 10 +++++ 36 files changed, 273 insertions(+), 28 deletions(-) create mode 100644 audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json create mode 100644 audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json create mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json create mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json create mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json create mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json delete mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json delete mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json delete mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json create mode 100644 audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json create mode 100644 audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json create mode 100644 audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json create mode 100644 audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json new file mode 100644 index 00000000000..b8948e75a19 --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.gcs_logs.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "justinsb@google.com" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json new file mode 100644 index 00000000000..3381307a2ad --- /dev/null +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.http_lb_logs.access.json @@ -0,0 +1,14 @@ +[ + { + "role": "WRITER", + "userByEmail": "p388270116193-330742@gcp-sa-logging.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "userByEmail": "justinsb@google.com" + } +] diff --git a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json index e69de29bb2d..e07449c20d2 100644 --- a/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-artifacts-prod/services/bigquery/bigquery.datasets.json @@ -0,0 +1,20 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-artifacts-prod:gcs_logs", + "datasetReference": { + "datasetId": "gcs_logs", + "projectId": "k8s-artifacts-prod" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-artifacts-prod:http_lb_logs", + "datasetReference": { + "datasetId": "http_lb_logs", + "projectId": "k8s-artifacts-prod" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json b/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json index d463c6d31c9..636bea2f32c 100644 --- a/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-cri-o-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-04-08T20:32:11.215176Z", - "etag": "\"15bf7bf125b148\"", "name": "projects/228988630781/secrets/service-cri-o-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json b/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json index 31ba1c3dc4c..dac88b8cc6e 100644 --- a/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-huaweicloud-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-04-08T20:43:10.411934Z", - "etag": "\"15bf7c18703c9e\"", "name": "projects/228988630781/secrets/service-huaweicloud-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-inspur-key/description.json b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json index 940f2574725..343e01a5b94 100644 --- a/audit/projects/k8s-conform/secrets/service-inspur-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-23T06:37:04.961097Z", - "etag": "\"15bbfb25906e49\"", "name": "projects/228988630781/secrets/service-inspur-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json index 9f9a32fc544..fa19d6025c3 100644 --- a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-15T15:18:08.840992Z", - "etag": "\"15bb617e4e6120\"", "name": "projects/228988630781/secrets/service-provider-openstack-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json b/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json index e49386a95e6..6d54fb4f53c 100644 --- a/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json +++ b/audit/projects/k8s-conform/secrets/service-s390x-k8s-key/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-09-23T21:18:11.941957Z", - "etag": "\"15b3ed7a94947b\"", "name": "projects/228988630781/secrets/service-s390x-k8s-key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json b/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json index 81d58f703f6..67d029e2a2a 100644 --- a/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json +++ b/audit/projects/k8s-gsuite/secrets/gsuite-groups-manager_key/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-04-30T04:24:22.976608Z", - "etag": "\"15b3ed7c79f8c0\"", "name": "projects/91610859379/secrets/gsuite-groups-manager_key", "replication": { "automatic": {} diff --git a/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json b/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json index 4c0fc2c4e8e..51ca1cc1026 100644 --- a/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json +++ b/audit/projects/k8s-gsuite/secrets/wg-k8s-infra-billing_pw/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-11T16:52:59.141275Z", - "etag": "\"15b3ed7b29f480\"", "name": "projects/91610859379/secrets/wg-k8s-infra-billing_pw", "replication": { "automatic": {} diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json new file mode 100644 index 00000000000..1b9fe6a2bc6 --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "hh@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json index e69de29bb2d..6df47d2665a 100644 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json @@ -0,0 +1,41 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:hh", + "datasetReference": { + "datasetId": "hh", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:k8s_artifacts_dataset_bb_test", + "datasetReference": { + "datasetId": "k8s_artifacts_dataset_bb_test", + "projectId": "k8s-infra-ii-sandbox" + }, + "labels": { + "managed-by-cnrm": "true" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:k8s_artifacts_gcslogs_appspot", + "datasetReference": { + "datasetId": "k8s_artifacts_gcslogs_appspot", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "k8s-infra-ii-sandbox:kubernetes_public_logs", + "datasetReference": { + "datasetId": "kubernetes_public_logs", + "projectId": "k8s-infra-ii-sandbox" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json new file mode 100644 index 00000000000..4a76db5b89d --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "bb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json new file mode 100644 index 00000000000..4a76db5b89d --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "bb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json new file mode 100644 index 00000000000..e1dcaceb7dd --- /dev/null +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "caleb@ii.coop" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json index 4bd9a686196..fce79ae9d2e 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-11T04:21:30.200768Z", - "etag": "\"15c2db0d2d7401\"", "labels": { "group": "sig-testing", "sig": "testing" diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json index a6d9eb99416..6ef0987b98f 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json @@ -3,8 +3,7 @@ { "members": [ "group:k8s-infra-ii-coop@kubernetes.io", - "group:k8s-infra-prow-oncall@kubernetes.io", - "user:hh@ii.coop" + "group:k8s-infra-prow-oncall@kubernetes.io" ], "role": "roles/secretmanager.admin" } diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json deleted file mode 100644 index c40b6dc117b..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "createTime": "2021-05-21T18:03:26.516649Z", - "etag": "\"15c2dae05eb9a9\"", - "name": "projects/180382678033/secrets/cncf-ci-token", - "replication": { - "automatic": {} - } -} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json deleted file mode 100644 index 0967ef424bc..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/iam.json +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json deleted file mode 100644 index fe51488c706..00000000000 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/versions.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json index a9a572f02cc..028e566cbcd 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-05-21T18:04:38.236182Z", - "etag": "\"15c2db0d6c4886\"", "labels": { "group": "sig-architecture" }, diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json index 85477e58417..154b9a61232 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json @@ -2,6 +2,7 @@ "bindings": [ { "members": [ + "group:k8s-infra-code-organization@kubernetes.io", "group:k8s-infra-prow-oncall@kubernetes.io" ], "role": "roles/secretmanager.admin" diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json index e69de29bb2d..23ddd91c5d6 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.json @@ -0,0 +1,11 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-prow-build-trusted:usage_metering_prow_build_trusted", + "datasetReference": { + "datasetId": "usage_metering_prow_build_trusted", + "projectId": "k8s-infra-prow-build-trusted" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json new file mode 100644 index 00000000000..fbd66ae2d0c --- /dev/null +++ b/audit/projects/k8s-infra-prow-build-trusted/services/bigquery/bigquery.datasets.usage_metering_prow_build_trusted.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-prow-build-trusted@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +] diff --git a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json index e69de29bb2d..1c6b9fa37c6 100644 --- a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.json @@ -0,0 +1,11 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-prow-build:usage_metering_prow_build", + "datasetReference": { + "datasetId": "usage_metering_prow_build", + "projectId": "k8s-infra-prow-build" + }, + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json new file mode 100644 index 00000000000..c33ac430cbd --- /dev/null +++ b/audit/projects/k8s-infra-prow-build/services/bigquery/bigquery.datasets.usage_metering_prow_build.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-prow-build@k8s-infra-prow-build.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +] diff --git a/audit/projects/kubernetes-public/secrets/recaptcha/description.json b/audit/projects/kubernetes-public/secrets/recaptcha/description.json index d5ac93728c6..3eda72ef1d5 100644 --- a/audit/projects/kubernetes-public/secrets/recaptcha/description.json +++ b/audit/projects/kubernetes-public/secrets/recaptcha/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:25.639524Z", - "etag": "\"15c2daf9f9cb32\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json b/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json index 2dc9198f9bb..9c4c762582e 100644 --- a/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-event-log-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:22.230224Z", - "etag": "\"15c2dafa2a19c5\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json b/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json index ccdbd8c08be..ffb9b423fbb 100644 --- a/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:18.073437Z", - "etag": "\"15c2dafa5c50da\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json index 164d7cc3ca8..8dde2ce9142 100644 --- a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2021-02-23T23:53:36.776896Z", - "etag": "\"15c2dafa97e06b\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json b/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json index e69dd8d872a..5ca3edc1fcf 100644 --- a/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json +++ b/audit/projects/kubernetes-public/secrets/slack-welcomer-config/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:14.323185Z", - "etag": "\"15c2dafac631cd\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/slackin-token/description.json b/audit/projects/kubernetes-public/secrets/slackin-token/description.json index 8522dc4c295..fef554fba36 100644 --- a/audit/projects/kubernetes-public/secrets/slackin-token/description.json +++ b/audit/projects/kubernetes-public/secrets/slackin-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-05-28T03:40:30.811539Z", - "etag": "\"15c2dafaf6a3b1\"", "labels": { "app": "slack-infra", "group": "sig-contributor-experience" diff --git a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json index 69f88c7ae69..45da78b3608 100644 --- a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json +++ b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json @@ -1,6 +1,5 @@ { "createTime": "2020-06-25T19:14:21.868654Z", - "etag": "\"15c2dafb274b21\"", "labels": { "app": "triageparty-release", "group": "sig-release" diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json index e69de29bb2d..7ad8455389d 100644 --- a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.json @@ -0,0 +1,20 @@ +[ + { + "kind": "bigquery#dataset", + "id": "kubernetes-public:kubernetes_public_billing", + "datasetReference": { + "datasetId": "kubernetes_public_billing", + "projectId": "kubernetes-public" + }, + "location": "US" + }, + { + "kind": "bigquery#dataset", + "id": "kubernetes-public:usage_metering_aaa", + "datasetReference": { + "datasetId": "usage_metering_aaa", + "projectId": "kubernetes-public" + }, + "location": "US" + } +] diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json new file mode 100644 index 00000000000..bde4ccc3a96 --- /dev/null +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.kubernetes_public_billing.access.json @@ -0,0 +1,34 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "billing-export-bigquery@system.gserviceaccount.com" + }, + { + "role": "OWNER", + "userByEmail": "ihor@cncf.io" + }, + { + "role": "READER", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + }, + { + "role": "roles/bigquery.metadataViewer", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + }, + { + "role": "roles/bigquery.user", + "groupByEmail": "k8s-infra-gcp-accounting@kubernetes.io" + } +] diff --git a/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json new file mode 100644 index 00000000000..1dfdc4ca8ad --- /dev/null +++ b/audit/projects/kubernetes-public/services/bigquery/bigquery.datasets.usage_metering_aaa.access.json @@ -0,0 +1,10 @@ +[ + { + "role": "WRITER", + "userByEmail": "gke-nodes-aaa@kubernetes-public.iam.gserviceaccount.com" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + } +]