roles: add custom org role container.deployer

[spiffxp]

The intent is to bind this to prow-deployer@k8s-infra-prow-build-trusted to give prow the ability to CRUD all resources in a given GKE cluster without granting it permission to CRUD the cluster itself.

Motivated by issues deploying kubernetes-external-secrets via post-k8sio-deploy-prow-build-trusted-resources: #2148 (comment)

See individual commits for details

[spiffxp]

/cc @BenTheElder @ameukam

[BenTheElder]

👍
/hold

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: BenTheElder, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ameukam]

/lgtm

[ameukam]

@spiffxp out of curiosity, why do we need this ? Do we have a GCP API use this as a dependency ?

[spiffxp]

These are coming in via roles/iam.securityReviewer, ref:

k8s.io/infra/gcp/roles/specs/audit.viewer.yaml

Lines 45 to 46 in b4f1725

	# *.list and *.getIamPolicy
	- roles/iam.securityReviewer

And we're constraining to list|get.* permissions, with some service-specific exceptions, ref:

k8s.io/infra/gcp/roles/specs/audit.viewer.yaml

Lines 59 to 67 in b4f1725

	# only include (get|list).* (e.g. get, getIamPolicy, etc.)
	- \.(list|get)[^\.]*$
	# include some exceptions from service-specific roles:
	# ...everything from roles/cloudasset.viewer
	- ^cloudasset.assets.(analyze|export|search)[^\.]*$
	# ...this specific permission from roles/cloudkms.publicKeyViewer
	- cloudkms.cryptoKeyVersions.viewPublicKey
	# ...this specific permission from roles/serviceusage.serviceUsageConsumer
	- serviceusage.services.use

You're right that we don't need this; it's more that I've been lazy about restricting what we pull in. I honestly don't really know whether it makes more sense to use roles/viewer instead of all the service-specific roles, or if it's worth investing the time to tighten the role to exactly the services we expect.

[ameukam]

I'm happy with the current state of laziness just want to make sure I understand correctly. :-)
Looking at https://github.com/darkbitio/gcp-iam-role-permissions/blob/master/roles/viewer, I think we should stick at custom roles.

[spiffxp]

/hold cancel

[spiffxp]

Ran make -C images/k8s-infra TAG=latest run ./infra/gcp/ensure-organization.sh