Skip to content

roles: add custom org role container.deployer #2156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
k8s-ci-robot merged 3 commits into from
Jun 10, 2021
Merged

roles: add custom org role container.deployer #2156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c0c945b
roles: refresh audit.viewer
spiffxp Jun 8, 2021
d38517f
roles: add container.deployer
spiffxp Jun 8, 2021
c309a17
infra/gcp/org: alphabetize roles
spiffxp Jun 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions infra/gcp/ensure-organization.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,13 +34,14 @@ if [ $# != 0 ]; then
exit 1
fi

org_roles=(
prow.viewer
audit.viewer
secretmanager.secretLister
organization.admin
readonly org_roles=(
CustomRole
audit.viewer
container.deployer
iam.serviceAccountLister
organization.admin
prow.viewer
secretmanager.secretLister
)

removed_org_roles=()
Expand Down
8 changes: 8 additions & 0 deletions infra/gcp/roles/audit.viewer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,8 @@ includedPermissions:
- bigquery.reservations.list
- bigquery.routines.get
- bigquery.routines.list
- bigquery.rowAccessPolicies.getIamPolicy
- bigquery.rowAccessPolicies.list
- bigquery.savedqueries.list
- bigquery.tables.get
- bigquery.tables.getIamPolicy
Expand Down Expand Up @@ -610,6 +612,12 @@ includedPermissions:
- consumerprocurement.entitlements.list
- consumerprocurement.freeTrials.list
- consumerprocurement.orders.list
- contactcenterinsights.analyses.list
- contactcenterinsights.conversations.list
- contactcenterinsights.issueModels.list
- contactcenterinsights.issues.list
- contactcenterinsights.operations.list
- contactcenterinsights.phraseMatchers.list
Comment on lines +615 to +620
Copy link
Copy Markdown
Member

@ameukam ameukam Jun 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spiffxp out of curiosity, why do we need this ? Do we have a GCP API use this as a dependency ?

Copy link
Copy Markdown
Contributor Author

@spiffxp spiffxp Jun 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are coming in via roles/iam.securityReviewer, ref:

k8s.io/infra/gcp/roles/specs/audit.viewer.yaml

Lines 45 to 46 in b4f1725

# *.list and *.getIamPolicy
- roles/iam.securityReviewer

And we're constraining to list|get.* permissions, with some service-specific exceptions, ref:

k8s.io/infra/gcp/roles/specs/audit.viewer.yaml

Lines 59 to 67 in b4f1725

# only include (get|list).* (e.g. get, getIamPolicy, etc.)
- \.(list|get)[^\.]*$
# include some exceptions from service-specific roles:
# ...everything from roles/cloudasset.viewer
- ^cloudasset.assets.(analyze|export|search)[^\.]*$
# ...this specific permission from roles/cloudkms.publicKeyViewer
- cloudkms.cryptoKeyVersions.viewPublicKey
# ...this specific permission from roles/serviceusage.serviceUsageConsumer
- serviceusage.services.use

You're right that we don't need this; it's more that I've been lazy about restricting what we pull in. I honestly don't really know whether it makes more sense to use roles/viewer instead of all the service-specific roles, or if it's worth investing the time to tighten the role to exactly the services we expect.

Copy link
Copy Markdown
Member

@ameukam ameukam Jun 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with the current state of laziness just want to make sure I understand correctly. :-)
Looking at https://github.com/darkbitio/gcp-iam-role-permissions/blob/master/roles/viewer, I think we should stick at custom roles.

- container.apiServices.list
- container.auditSinks.list
- container.backendConfigs.list
Expand Down
Loading