diff --git a/infra/gcp/ensure-organization.sh b/infra/gcp/ensure-organization.sh index 1621f2021f0..36032f1fc51 100755 --- a/infra/gcp/ensure-organization.sh +++ b/infra/gcp/ensure-organization.sh @@ -34,13 +34,14 @@ if [ $# != 0 ]; then exit 1 fi -org_roles=( - prow.viewer - audit.viewer - secretmanager.secretLister - organization.admin +readonly org_roles=( CustomRole + audit.viewer + container.deployer iam.serviceAccountLister + organization.admin + prow.viewer + secretmanager.secretLister ) removed_org_roles=() diff --git a/infra/gcp/roles/audit.viewer.yaml b/infra/gcp/roles/audit.viewer.yaml index 87ebfb77a52..a83c70a1da5 100644 --- a/infra/gcp/roles/audit.viewer.yaml +++ b/infra/gcp/roles/audit.viewer.yaml @@ -230,6 +230,8 @@ includedPermissions: - bigquery.reservations.list - bigquery.routines.get - bigquery.routines.list + - bigquery.rowAccessPolicies.getIamPolicy + - bigquery.rowAccessPolicies.list - bigquery.savedqueries.list - bigquery.tables.get - bigquery.tables.getIamPolicy @@ -610,6 +612,12 @@ includedPermissions: - consumerprocurement.entitlements.list - consumerprocurement.freeTrials.list - consumerprocurement.orders.list + - contactcenterinsights.analyses.list + - contactcenterinsights.conversations.list + - contactcenterinsights.issueModels.list + - contactcenterinsights.issues.list + - contactcenterinsights.operations.list + - contactcenterinsights.phraseMatchers.list - container.apiServices.list - container.auditSinks.list - container.backendConfigs.list diff --git a/infra/gcp/roles/container.deployer.yaml b/infra/gcp/roles/container.deployer.yaml new file mode 100644 index 00000000000..a289b83b393 --- /dev/null +++ b/infra/gcp/roles/container.deployer.yaml @@ -0,0 +1,425 @@ +#### generated by generate-role-yaml.sh from ./roles/specs/container.deployer.yaml +# +# # roles/container.developer++ (roles/container.admin - GKE cluster permissions) +# # +# # grants permissions to CRUD all kubernetes resources on a GKE cluster, +# # including potentially sensitive resources related to RBAC or webhooks +# title: Container Deployer +# description: +# name: container.deployer +# include: +# roles: +# - roles/container.admin +# exclude: +# permissionRegexes: +# # non-CRUD permissions for potentially sensitive kubernetes resources +# - ^container\.certifiateSigningRequests\.(approve|getStatus)$ +# - ^container\.clusterRoles\.(bind|escalate)$ +# - ^container\.roles\.(bind|escalate)$ +# # GKE cluster permissions +# - ^container\.clusters\.(create|delete|getCredentials|update)$ +# - ^container\.operations\. +# - ^container\.hostServiceAgent\.# +description: null +includedPermissions: + - container.apiServices.create + - container.apiServices.delete + - container.apiServices.get + - container.apiServices.getStatus + - container.apiServices.list + - container.apiServices.update + - container.apiServices.updateStatus + - container.auditSinks.create + - container.auditSinks.delete + - container.auditSinks.get + - container.auditSinks.list + - container.auditSinks.update + - container.backendConfigs.create + - container.backendConfigs.delete + - container.backendConfigs.get + - container.backendConfigs.list + - container.backendConfigs.update + - container.bindings.create + - container.bindings.delete + - container.bindings.get + - container.bindings.list + - container.bindings.update + - container.certificateSigningRequests.approve + - container.certificateSigningRequests.create + - container.certificateSigningRequests.delete + - container.certificateSigningRequests.get + - container.certificateSigningRequests.getStatus + - container.certificateSigningRequests.list + - container.certificateSigningRequests.update + - container.certificateSigningRequests.updateStatus + - container.clusterRoleBindings.create + - container.clusterRoleBindings.delete + - container.clusterRoleBindings.get + - container.clusterRoleBindings.list + - container.clusterRoleBindings.update + - container.clusterRoles.create + - container.clusterRoles.delete + - container.clusterRoles.get + - container.clusterRoles.list + - container.clusterRoles.update + - container.clusters.get + - container.clusters.list + - container.componentStatuses.get + - container.componentStatuses.list + - container.configMaps.create + - container.configMaps.delete + - container.configMaps.get + - container.configMaps.list + - container.configMaps.update + - container.controllerRevisions.create + - container.controllerRevisions.delete + - container.controllerRevisions.get + - container.controllerRevisions.list + - container.controllerRevisions.update + - container.cronJobs.create + - container.cronJobs.delete + - container.cronJobs.get + - container.cronJobs.getStatus + - container.cronJobs.list + - container.cronJobs.update + - container.cronJobs.updateStatus + - container.csiDrivers.create + - container.csiDrivers.delete + - container.csiDrivers.get + - container.csiDrivers.list + - container.csiDrivers.update + - container.csiNodeInfos.create + - container.csiNodeInfos.delete + - container.csiNodeInfos.get + - container.csiNodeInfos.list + - container.csiNodeInfos.update + - container.csiNodes.create + - container.csiNodes.delete + - container.csiNodes.get + - container.csiNodes.list + - container.csiNodes.update + - container.customResourceDefinitions.create + - container.customResourceDefinitions.delete + - container.customResourceDefinitions.get + - container.customResourceDefinitions.getStatus + - container.customResourceDefinitions.list + - container.customResourceDefinitions.update + - container.customResourceDefinitions.updateStatus + - container.daemonSets.create + - container.daemonSets.delete + - container.daemonSets.get + - container.daemonSets.getStatus + - container.daemonSets.list + - container.daemonSets.update + - container.daemonSets.updateStatus + - container.deployments.create + - container.deployments.delete + - container.deployments.get + - container.deployments.getScale + - container.deployments.getStatus + - container.deployments.list + - container.deployments.rollback + - container.deployments.update + - container.deployments.updateScale + - container.deployments.updateStatus + - container.endpointSlices.create + - container.endpointSlices.delete + - container.endpointSlices.get + - container.endpointSlices.list + - container.endpointSlices.update + - container.endpoints.create + - container.endpoints.delete + - container.endpoints.get + - container.endpoints.list + - container.endpoints.update + - container.events.create + - container.events.delete + - container.events.get + - container.events.list + - container.events.update + - container.frontendConfigs.create + - container.frontendConfigs.delete + - container.frontendConfigs.get + - container.frontendConfigs.list + - container.frontendConfigs.update + - container.horizontalPodAutoscalers.create + - container.horizontalPodAutoscalers.delete + - container.horizontalPodAutoscalers.get + - container.horizontalPodAutoscalers.getStatus + - container.horizontalPodAutoscalers.list + - container.horizontalPodAutoscalers.update + - container.horizontalPodAutoscalers.updateStatus + - container.ingresses.create + - container.ingresses.delete + - container.ingresses.get + - container.ingresses.getStatus + - container.ingresses.list + - container.ingresses.update + - container.ingresses.updateStatus + - container.initializerConfigurations.create + - container.initializerConfigurations.delete + - container.initializerConfigurations.get + - container.initializerConfigurations.list + - container.initializerConfigurations.update + - container.jobs.create + - container.jobs.delete + - container.jobs.get + - container.jobs.getStatus + - container.jobs.list + - container.jobs.update + - container.jobs.updateStatus + - container.leases.create + - container.leases.delete + - container.leases.get + - container.leases.list + - container.leases.update + - container.limitRanges.create + - container.limitRanges.delete + - container.limitRanges.get + - container.limitRanges.list + - container.limitRanges.update + - container.localSubjectAccessReviews.create + - container.localSubjectAccessReviews.list + - container.managedCertificates.create + - container.managedCertificates.delete + - container.managedCertificates.get + - container.managedCertificates.list + - container.managedCertificates.update + - container.mutatingWebhookConfigurations.create + - container.mutatingWebhookConfigurations.delete + - container.mutatingWebhookConfigurations.get + - container.mutatingWebhookConfigurations.list + - container.mutatingWebhookConfigurations.update + - container.namespaces.create + - container.namespaces.delete + - container.namespaces.finalize + - container.namespaces.get + - container.namespaces.getStatus + - container.namespaces.list + - container.namespaces.update + - container.namespaces.updateStatus + - container.networkPolicies.create + - container.networkPolicies.delete + - container.networkPolicies.get + - container.networkPolicies.list + - container.networkPolicies.update + - container.nodes.create + - container.nodes.delete + - container.nodes.get + - container.nodes.getStatus + - container.nodes.list + - container.nodes.proxy + - container.nodes.update + - container.nodes.updateStatus + - container.persistentVolumeClaims.create + - container.persistentVolumeClaims.delete + - container.persistentVolumeClaims.get + - container.persistentVolumeClaims.getStatus + - container.persistentVolumeClaims.list + - container.persistentVolumeClaims.update + - container.persistentVolumeClaims.updateStatus + - container.persistentVolumes.create + - container.persistentVolumes.delete + - container.persistentVolumes.get + - container.persistentVolumes.getStatus + - container.persistentVolumes.list + - container.persistentVolumes.update + - container.persistentVolumes.updateStatus + - container.petSets.create + - container.petSets.delete + - container.petSets.get + - container.petSets.list + - container.petSets.update + - container.petSets.updateStatus + - container.podDisruptionBudgets.create + - container.podDisruptionBudgets.delete + - container.podDisruptionBudgets.get + - container.podDisruptionBudgets.getStatus + - container.podDisruptionBudgets.list + - container.podDisruptionBudgets.update + - container.podDisruptionBudgets.updateStatus + - container.podPresets.create + - container.podPresets.delete + - container.podPresets.get + - container.podPresets.list + - container.podPresets.update + - container.podSecurityPolicies.create + - container.podSecurityPolicies.delete + - container.podSecurityPolicies.get + - container.podSecurityPolicies.list + - container.podSecurityPolicies.update + - container.podSecurityPolicies.use + - container.podTemplates.create + - container.podTemplates.delete + - container.podTemplates.get + - container.podTemplates.list + - container.podTemplates.update + - container.pods.attach + - container.pods.create + - container.pods.delete + - container.pods.evict + - container.pods.exec + - container.pods.get + - container.pods.getLogs + - container.pods.getStatus + - container.pods.initialize + - container.pods.list + - container.pods.portForward + - container.pods.proxy + - container.pods.update + - container.pods.updateStatus + - container.priorityClasses.create + - container.priorityClasses.delete + - container.priorityClasses.get + - container.priorityClasses.list + - container.priorityClasses.update + - container.replicaSets.create + - container.replicaSets.delete + - container.replicaSets.get + - container.replicaSets.getScale + - container.replicaSets.getStatus + - container.replicaSets.list + - container.replicaSets.update + - container.replicaSets.updateScale + - container.replicaSets.updateStatus + - container.replicationControllers.create + - container.replicationControllers.delete + - container.replicationControllers.get + - container.replicationControllers.getScale + - container.replicationControllers.getStatus + - container.replicationControllers.list + - container.replicationControllers.update + - container.replicationControllers.updateScale + - container.replicationControllers.updateStatus + - container.resourceQuotas.create + - container.resourceQuotas.delete + - container.resourceQuotas.get + - container.resourceQuotas.getStatus + - container.resourceQuotas.list + - container.resourceQuotas.update + - container.resourceQuotas.updateStatus + - container.roleBindings.create + - container.roleBindings.delete + - container.roleBindings.get + - container.roleBindings.list + - container.roleBindings.update + - container.roles.create + - container.roles.delete + - container.roles.get + - container.roles.list + - container.roles.update + - container.runtimeClasses.create + - container.runtimeClasses.delete + - container.runtimeClasses.get + - container.runtimeClasses.list + - container.runtimeClasses.update + - container.scheduledJobs.create + - container.scheduledJobs.delete + - container.scheduledJobs.get + - container.scheduledJobs.list + - container.scheduledJobs.update + - container.scheduledJobs.updateStatus + - container.secrets.create + - container.secrets.delete + - container.secrets.get + - container.secrets.list + - container.secrets.update + - container.selfSubjectAccessReviews.create + - container.selfSubjectAccessReviews.list + - container.selfSubjectRulesReviews.create + - container.serviceAccounts.create + - container.serviceAccounts.createToken + - container.serviceAccounts.delete + - container.serviceAccounts.get + - container.serviceAccounts.list + - container.serviceAccounts.update + - container.services.create + - container.services.delete + - container.services.get + - container.services.getStatus + - container.services.list + - container.services.proxy + - container.services.update + - container.services.updateStatus + - container.statefulSets.create + - container.statefulSets.delete + - container.statefulSets.get + - container.statefulSets.getScale + - container.statefulSets.getStatus + - container.statefulSets.list + - container.statefulSets.update + - container.statefulSets.updateScale + - container.statefulSets.updateStatus + - container.storageClasses.create + - container.storageClasses.delete + - container.storageClasses.get + - container.storageClasses.list + - container.storageClasses.update + - container.storageStates.create + - container.storageStates.delete + - container.storageStates.get + - container.storageStates.getStatus + - container.storageStates.list + - container.storageStates.update + - container.storageStates.updateStatus + - container.storageVersionMigrations.create + - container.storageVersionMigrations.delete + - container.storageVersionMigrations.get + - container.storageVersionMigrations.getStatus + - container.storageVersionMigrations.list + - container.storageVersionMigrations.update + - container.storageVersionMigrations.updateStatus + - container.subjectAccessReviews.create + - container.subjectAccessReviews.list + - container.thirdPartyObjects.create + - container.thirdPartyObjects.delete + - container.thirdPartyObjects.get + - container.thirdPartyObjects.list + - container.thirdPartyObjects.update + - container.thirdPartyResources.create + - container.thirdPartyResources.delete + - container.thirdPartyResources.get + - container.thirdPartyResources.list + - container.thirdPartyResources.update + - container.tokenReviews.create + - container.updateInfos.create + - container.updateInfos.delete + - container.updateInfos.get + - container.updateInfos.list + - container.updateInfos.update + - container.validatingWebhookConfigurations.create + - container.validatingWebhookConfigurations.delete + - container.validatingWebhookConfigurations.get + - container.validatingWebhookConfigurations.list + - container.validatingWebhookConfigurations.update + - container.volumeAttachments.create + - container.volumeAttachments.delete + - container.volumeAttachments.get + - container.volumeAttachments.getStatus + - container.volumeAttachments.list + - container.volumeAttachments.update + - container.volumeAttachments.updateStatus + - container.volumeSnapshotClasses.create + - container.volumeSnapshotClasses.delete + - container.volumeSnapshotClasses.get + - container.volumeSnapshotClasses.list + - container.volumeSnapshotClasses.update + - container.volumeSnapshotContents.create + - container.volumeSnapshotContents.delete + - container.volumeSnapshotContents.get + - container.volumeSnapshotContents.getStatus + - container.volumeSnapshotContents.list + - container.volumeSnapshotContents.update + - container.volumeSnapshotContents.updateStatus + - container.volumeSnapshots.create + - container.volumeSnapshots.delete + - container.volumeSnapshots.get + - container.volumeSnapshots.getStatus + - container.volumeSnapshots.list + - container.volumeSnapshots.update + - container.volumeSnapshots.updateStatus + - resourcemanager.projects.get + - resourcemanager.projects.list +name: container.deployer +stage: GA +title: Container Deployer diff --git a/infra/gcp/roles/specs/container.deployer.yaml b/infra/gcp/roles/specs/container.deployer.yaml new file mode 100644 index 00000000000..3f9de591f45 --- /dev/null +++ b/infra/gcp/roles/specs/container.deployer.yaml @@ -0,0 +1,20 @@ +# roles/container.developer++ (roles/container.admin - GKE cluster permissions) +# +# grants permissions to CRUD all kubernetes resources on a GKE cluster, +# including potentially sensitive resources related to RBAC or webhooks +title: Container Deployer +description: +name: container.deployer +include: + roles: + - roles/container.admin +exclude: + permissionRegexes: + # non-CRUD permissions for potentially sensitive kubernetes resources + - ^container\.certifiateSigningRequests\.(approve|getStatus)$ + - ^container\.clusterRoles\.(bind|escalate)$ + - ^container\.roles\.(bind|escalate)$ + # GKE cluster permissions + - ^container\.clusters\.(create|delete|getCredentials|update)$ + - ^container\.operations\. + - ^container\.hostServiceAgent\. \ No newline at end of file