diff --git a/groups/groups.yaml b/groups/groups.yaml index c9fb03196ed..c796b51ef0f 100644 --- a/groups/groups.yaml +++ b/groups/groups.yaml @@ -287,6 +287,17 @@ groups: - spiffxp@google.com - thockin@google.com + - email-id: k8s-infra-push-cni@kubernetes.io + name: k8s-infra-push-cni + description: |- + ACL for pushing CNI artifacts + settings: + ReconcileMembers: "true" + members: + - dcbw@redhat.com + - stephen.k8s@agst.us + - thockin@google.com + - email-id: k8s-infra-rbac-cert-manager@kubernetes.io name: k8s-infra-rbac-cert-manager description: |- diff --git a/infra/gcp/ensure-prod-storage.sh b/infra/gcp/ensure-prod-storage.sh index 78a457c2ba9..f56f653ba09 100755 --- a/infra/gcp/ensure-prod-storage.sh +++ b/infra/gcp/ensure-prod-storage.sh @@ -90,6 +90,9 @@ ALL_PROD_PROJECTS=( # Regions for prod. PROD_REGIONS=(us eu asia) +# Minimum time we expect to keep prod artifacts. +PROD_RETENTION="10y" + # Make the projects, if needed for prj in "${ALL_PROD_PROJECTS[@]}"; do color 6 "Ensuring project exists: ${prj}" @@ -126,8 +129,7 @@ for prj in "${ALL_PROD_PROJECTS[@]}"; do ensure_public_gcs_bucket "${prj}" "gs://${prj}" color 6 "Ensuring the GCS bucket retention policy is set: ${prj}" - RETENTION="10y" - ensure_gcs_bucket_retention "gs://${prj}" "${RETENTION}" + ensure_gcs_bucket_retention "gs://${prj}" "${PROD_RETENTION}" color 6 "Empowering GCS admins: ${prj}" empower_gcs_admins "${prj}" "gs://${prj}" @@ -143,6 +145,20 @@ upload_gcs_static_content \ "gs://${PROD_PROJECT}" \ "${SCRIPT_DIR}/static/prod-storage" +# Special case: grant the push groups access to their buckets. +# This is for serving CNI artifacts. We need a new bucket for this because +# there's no concept of permissions on a "subdirectory" of a bucket. So until we +# have a promoter for k8s-artifacts-prod, we do this. +CNI_BUCKET="k8s-artifacts-cni" +CNI_GROUP="k8s-infra-push-cni@kubernetes.io" +color 6 "Ensuring the CNI GCS bucket exists and is readable" +ensure_public_gcs_bucket "${PROD_PROJECT}" "gs://${CNI_BUCKET}" +color 6 "Ensuring the CNI GCS bucket retention policy is set" +ensure_gcs_bucket_retention "gs://${CNI_BUCKET}" "${PROD_RETENTION}" +color 6 "Empowering GCS admins to CNI" +empower_gcs_admins "${PROD_PROJECT}" "gs://${CNI_BUCKET}" +empower_group_to_write_gcs_bucket "${CNI_GROUP}" "gs://${CNI_BUCKET}" + # Special case: grant the image promoter testing group access to their fake # prod projects. empower_group_to_fake_prod \ diff --git a/infra/gcp/ensure-release-projects.sh b/infra/gcp/ensure-release-projects.sh index 99a3e0a0db7..1f8a7ab2e65 100755 --- a/infra/gcp/ensure-release-projects.sh +++ b/infra/gcp/ensure-release-projects.sh @@ -105,7 +105,7 @@ for PROJECT; do # Enable writers on the bucket for group in ${ADMINS} ${WRITERS}; do color 6 "Empowering ${group} to GCS" - empower_group_to_gcs_bucket "${group}" "${BUCKET}" + empower_group_to_write_gcs_bucket "${group}" "${BUCKET}" done done diff --git a/infra/gcp/ensure-staging-storage.sh b/infra/gcp/ensure-staging-storage.sh index c748d367ff5..d37f04c5182 100755 --- a/infra/gcp/ensure-staging-storage.sh +++ b/infra/gcp/ensure-staging-storage.sh @@ -141,7 +141,7 @@ for REPO; do # Enable writers on the bucket color 6 "Empowering ${WRITERS} to GCS" - empower_group_to_gcs_bucket "${WRITERS}" "${BUCKET}" + empower_group_to_write_gcs_bucket "${WRITERS}" "${BUCKET}" done # Enable GCB and Prow to build and push images. diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh index 1f3e5bf52d0..373b1335e78 100755 --- a/infra/gcp/lib.sh +++ b/infra/gcp/lib.sh @@ -347,16 +347,8 @@ function empower_gcr_admins() { region="${2:-}" bucket=$(gcs_bucket_for_gcr "${project}" "${region}") - # Grant project viewer so the UI will work. empower_group_as_viewer "${project}" "${GCR_ADMINS}" - - # Grant admins access to do admin stuff. - gsutil iam ch \ - "group:${GCR_ADMINS}:objectAdmin" \ - "${bucket}" - gsutil iam ch \ - "group:${GCR_ADMINS}:legacyBucketOwner" \ - "${bucket}" + empower_group_to_admin_gcs_bucket "${GCR_ADMINS}" "${bucket}" } # Grant full privileges to GCS admins @@ -370,16 +362,8 @@ function empower_gcs_admins() { project="${1}" bucket="${2}" - # Grant project viewer so the UI will work. empower_group_as_viewer "${project}" "${GCS_ADMINS}" - - # Grant admins access to do admin stuff. - gsutil iam ch \ - "group:${GCS_ADMINS}:objectAdmin" \ - "${bucket}" - gsutil iam ch \ - "group:${GCS_ADMINS}:legacyBucketOwner" \ - "${bucket}" + empower_group_to_admin_gcs_bucket "${GCS_ADMINS}" "${bucket}" } # Grant GCR write privileges to a group @@ -396,6 +380,20 @@ function empower_group_to_gcr() { region="${3:-}" bucket=$(gcs_bucket_for_gcr "${project}" "${region}") + empower_group_to_write_gcs_bucket "${group}" "${bucket}" +} + +# Grant write privileges on a bucket to a group +# $1: The googlegroups group +# $2: The bucket +function empower_group_to_write_gcs_bucket() { + if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then + echo "empower_group_to_write_gcs_bucket(group_name, bucket) requires 2 arguments" >&2 + return 1 + fi + group="$1" + bucket="$2" + gsutil iam ch \ "group:${group}:objectAdmin" \ "${bucket}" @@ -404,12 +402,12 @@ function empower_group_to_gcr() { "${bucket}" } -# Grant write privileges on a bucket to a group +# Grant admin privileges on a bucket to a group # $1: The googlegroups group # $2: The bucket -function empower_group_to_gcs_bucket() { +function empower_group_to_admin_gcs_bucket() { if [ $# -lt 2 -o -z "$1" -o -z "$2" ]; then - echo "empower_group_to_gcs_bucket(group_name, bucket) requires 2 arguments" >&2 + echo "empower_group_to_admin_gcs_bucket(group_name, bucket) requires 2 arguments" >&2 return 1 fi group="$1" @@ -419,7 +417,7 @@ function empower_group_to_gcs_bucket() { "group:${group}:objectAdmin" \ "${bucket}" gsutil iam ch \ - "group:${group}:legacyBucketReader" \ + "group:${group}:legacyBucketOwner" \ "${bucket}" }