From ce89bebe9629f72dd1774ca015ae9b151ad4f26d Mon Sep 17 00:00:00 2001 From: CNCF CI Bot Date: Tue, 15 Jun 2021 19:10:56 +0000 Subject: [PATCH] audit: update as of 2021-06-15 --- .../services/logging/logs.json | 3 +- .../secrets/snyk-token/versions.json | 21 +++++++++++++- .../clusters/prow-build-trusted.json | 4 +-- .../services/bigquery/bigquery.datasets.json | 12 ++++++++ ...ts.k8s_infra_artifacts_gcslogs.access.json | 18 ++++++++++++ .../k8s-infra-public-pii/services/enabled.txt | 13 +++++---- .../buckets/k8s-infra-tf-public-pii/iam.json | 29 +++++++++++++++++++ .../k8s-infra-tf-public-pii/metadata.txt | 18 ++++++++++++ 8 files changed, 108 insertions(+), 10 deletions(-) create mode 100644 audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json create mode 100644 audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/iam.json create mode 100644 audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/metadata.txt diff --git a/audit/projects/k8s-cip-test-prod/services/logging/logs.json b/audit/projects/k8s-cip-test-prod/services/logging/logs.json index 7246e74542a..a20d3d66efc 100644 --- a/audit/projects/k8s-cip-test-prod/services/logging/logs.json +++ b/audit/projects/k8s-cip-test-prod/services/logging/logs.json @@ -1,3 +1,4 @@ [ - "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity" + "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity", + "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event" ] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/versions.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/versions.json index fe51488c706..120395b18c5 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/versions.json +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/versions.json @@ -1 +1,20 @@ -[] +[ + { + "createTime": "2021-06-15T18:31:34.700427Z", + "etag": "\"15c4d22f06bd8b\"", + "name": "projects/180382678033/secrets/snyk-token/versions/2", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + }, + { + "createTime": "2021-06-15T18:17:20.453869Z", + "etag": "\"15c4d1fc1bf8ed\"", + "name": "projects/180382678033/secrets/snyk-token/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + } +] diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/container/clusters/prow-build-trusted.json b/audit/projects/k8s-infra-prow-build-trusted/services/container/clusters/prow-build-trusted.json index 79917de02ec..f22a656a4ab 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/services/container/clusters/prow-build-trusted.json +++ b/audit/projects/k8s-infra-prow-build-trusted/services/container/clusters/prow-build-trusted.json @@ -56,9 +56,7 @@ } } }, - "masterAuthorizedNetworksConfig": { - "enabled": true - }, + "masterAuthorizedNetworksConfig": {}, "monitoringService": "monitoring.googleapis.com/kubernetes", "name": "prow-build-trusted", "network": "default", diff --git a/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.json index e69de29bb2d..62acb391f48 100644 --- a/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.json @@ -0,0 +1,12 @@ +[ + { + "kind": "bigquery#dataset", + "id": "k8s-infra-public-pii:k8s_infra_artifacts_gcslogs", + "datasetReference": { + "datasetId": "k8s_infra_artifacts_gcslogs", + "projectId": "k8s-infra-public-pii" + }, + "friendlyName": "k8s_infra_artifacts_gcslogs", + "location": "US" + } +] diff --git a/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json new file mode 100644 index 00000000000..e917e3bce50 --- /dev/null +++ b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json @@ -0,0 +1,18 @@ +[ + { + "role": "WRITER", + "specialGroup": "projectWriters" + }, + { + "role": "OWNER", + "specialGroup": "projectOwners" + }, + { + "role": "OWNER", + "userByEmail": "ameukam@gmail.com" + }, + { + "role": "READER", + "specialGroup": "projectReaders" + } +] diff --git a/audit/projects/k8s-infra-public-pii/services/enabled.txt b/audit/projects/k8s-infra-public-pii/services/enabled.txt index 38fbc8cec93..0e59a13658e 100644 --- a/audit/projects/k8s-infra-public-pii/services/enabled.txt +++ b/audit/projects/k8s-infra-public-pii/services/enabled.txt @@ -1,5 +1,8 @@ -NAME TITLE -bigquery.googleapis.com BigQuery API -bigquerystorage.googleapis.com BigQuery Storage API -logging.googleapis.com Cloud Logging API -storage-component.googleapis.com Cloud Storage +NAME TITLE +bigquery.googleapis.com BigQuery API +bigquerydatatransfer.googleapis.com BigQuery Data Transfer API +bigqueryreservation.googleapis.com BigQuery Reservation API +bigquerystorage.googleapis.com BigQuery Storage API +cloudresourcemanager.googleapis.com Cloud Resource Manager API +logging.googleapis.com Cloud Logging API +storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/iam.json new file mode 100644 index 00000000000..de375d736d4 --- /dev/null +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/iam.json @@ -0,0 +1,29 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-gcp-org-admins@kubernetes.io" + ], + "role": "roles/storage.admin" + }, + { + "members": [ + "group:k8s-infra-cluster-admins@kubernetes.io", + "projectOwner:kubernetes-public" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:kubernetes-public" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-cluster-admins@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + } + ] +} diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/metadata.txt b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/metadata.txt new file mode 100644 index 00000000000..e1e6211d899 --- /dev/null +++ b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-pii/metadata.txt @@ -0,0 +1,18 @@ +gs://k8s-infra-tf-public-pii/ : + Storage class: STANDARD + Location type: multi-region + Location constraint: US + Versioning enabled: None + Logging configuration: None + Website configuration: None + CORS configuration: None + Lifecycle configuration: None + Requester Pays enabled: None + Labels: None + Default KMS key: None + Time created: Mon, 14 Jun 2021 17:08:43 GMT + Time updated: Mon, 14 Jun 2021 17:09:23 GMT + Metageneration: 6 + Bucket Policy Only enabled: True + ACL: [] + Default ACL: []