audit: update as of 2021-05-05

kubernetes · May 5, 2021 · c8149ac · c8149ac
1 parent a801699
commit c8149ac
Show file tree

Hide file tree

Showing 35 changed files with 285 additions and 35 deletions.
diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-gcslogs/iam.json
@@ -39,6 +39,12 @@
         "group:k8s-infra-artifact-admins@kubernetes.io"
       ],
       "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "group:k8s-infra-gcs-access-logs@kubernetes.io"
+      ],
+      "role": "roles/storage.objectViewer"
     }
   ]
 }
diff --git a/audit/projects/k8s-artifacts-prod/iam.json b/audit/projects/k8s-artifacts-prod/iam.json
@@ -39,12 +39,24 @@
       ],
       "role": "roles/errorreporting.user"
     },
+    {
+      "members": [
+        "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com"
+      ],
+      "role": "roles/errorreporting.writer"
+    },
     {
       "members": [
         "serviceAccount:service-388270116193@gcp-sa-pubsub.iam.gserviceaccount.com"
       ],
       "role": "roles/iam.serviceAccountTokenCreator"
     },
+    {
+      "members": [
+        "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com"
+      ],
+      "role": "roles/logging.logWriter"
+    },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io"

diff --git a/...ccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json b/...ccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json
@@ -0,0 +1,8 @@
+{
+  "displayName": "k8s-infra container image auditor",
+  "email": "k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com",
+  "name": "projects/k8s-artifacts-prod/serviceAccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com",
+  "oauth2ClientId": "113024649066440988760",
+  "projectId": "k8s-artifacts-prod",
+  "uniqueId": "113024649066440988760"
+}
diff --git a/...ervice-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json b/...ervice-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json
@@ -0,0 +1,11 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io"
+      ],
+      "role": "roles/iam.serviceAccountUser"
+    }
+  ],
+  "version": 1
+}
diff --git a/audit/projects/k8s-artifacts-prod/services/enabled.txt b/audit/projects/k8s-artifacts-prod/services/enabled.txt
@@ -9,6 +9,7 @@ cloudtrace.googleapis.com            Cloud Trace API
 compute.googleapis.com               Compute Engine API
 containeranalysis.googleapis.com     Container Analysis API
 containerregistry.googleapis.com     Container Registry API
+containerscanning.googleapis.com     Container Scanning API
 datastore.googleapis.com             Cloud Datastore API
 logging.googleapis.com               Cloud Logging API
 monitoring.googleapis.com            Cloud Monitoring API

diff --git a/audit/projects/k8s-infra-prow-build-trusted/iam.json b/audit/projects/k8s-infra-prow-build-trusted/iam.json
@@ -4,7 +4,7 @@
       "members": [
         "group:k8s-infra-cluster-admins@kubernetes.io"
       ],
-      "role": "projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister"
+      "role": "organizations/758905017065/roles/iam.serviceAccountLister"
     },
     {
       "members": [

diff --git a/audit/projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister.json b/audit/projects/k8s-infra-prow-build-trusted/roles/ServiceAccountLister.json
diff --git a/audit/projects/k8s-infra-prow-build/iam.json b/audit/projects/k8s-infra-prow-build/iam.json
@@ -2,15 +2,15 @@
   "bindings": [
     {
       "members": [
-        "group:k8s-infra-prow-viewers@kubernetes.io"
+        "group:k8s-infra-cluster-admins@kubernetes.io"
       ],
-      "role": "organizations/758905017065/roles/prow.viewer"
+      "role": "organizations/758905017065/roles/iam.serviceAccountLister"
     },
     {
       "members": [
-        "group:k8s-infra-cluster-admins@kubernetes.io"
+        "group:k8s-infra-prow-viewers@kubernetes.io"
       ],
-      "role": "projects/k8s-infra-prow-build/roles/ServiceAccountLister"
+      "role": "organizations/758905017065/roles/prow.viewer"
     },
     {
       "members": [

diff --git a/audit/projects/k8s-infra-prow-build/roles/ServiceAccountLister.json b/audit/projects/k8s-infra-prow-build/roles/ServiceAccountLister.json
diff --git a/...ging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/bucketpolicyonly.txt b/...ging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/bucketpolicyonly.txt
@@ -0,0 +1,4 @@
+Bucket Policy Only setting for gs://artifacts.k8s-staging-test-infra.appspot.com:
+  Enabled: True
+  LockedTime: 2021-08-02 20:28:08.351000+00:00
+
diff --git a/...ects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/cors.txt b/...ects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/cors.txt
@@ -0,0 +1 @@
+gs://artifacts.k8s-staging-test-infra.appspot.com/ has no CORS configuration.
diff --git a/...ects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/iam.json b/...ects/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/iam.json
@@ -0,0 +1,37 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "projectEditor:k8s-staging-test-infra",
+        "projectOwner:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "allUsers"
+      ],
+      "role": "roles/storage.objectViewer"
+    }
+  ]
+}
diff --git a/...s/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/logging.txt b/...s/k8s-staging-test-infra/buckets/artifacts.k8s-staging-test-infra.appspot.com/logging.txt
@@ -0,0 +1 @@
+gs://artifacts.k8s-staging-test-infra.appspot.com/ has no logging configuration.
diff --git a/...t/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/bucketpolicyonly.txt b/...t/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/bucketpolicyonly.txt
@@ -0,0 +1,4 @@
+Bucket Policy Only setting for gs://k8s-staging-test-infra-gcb:
+  Enabled: True
+  LockedTime: 2021-08-02 20:29:19.330000+00:00
+
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/cors.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/cors.txt
@@ -0,0 +1 @@
+gs://k8s-staging-test-infra-gcb/ has no CORS configuration.
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/iam.json b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/iam.json
@@ -0,0 +1,46 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "projectEditor:k8s-staging-test-infra",
+        "projectOwner:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com",
+        "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+      ],
+      "role": "roles/storage.objectCreator"
+    },
+    {
+      "members": [
+        "allUsers",
+        "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com",
+        "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+      ],
+      "role": "roles/storage.objectViewer"
+    }
+  ]
+}
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/logging.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra-gcb/logging.txt
@@ -0,0 +1 @@
+gs://k8s-staging-test-infra-gcb/ has no logging configuration.
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/bucketpolicyonly.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/bucketpolicyonly.txt
@@ -0,0 +1,4 @@
+Bucket Policy Only setting for gs://k8s-staging-test-infra:
+  Enabled: True
+  LockedTime: 2021-08-02 20:28:41.006000+00:00
+
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/cors.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/cors.txt
@@ -0,0 +1 @@
+gs://k8s-staging-test-infra/ has no CORS configuration.
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/iam.json b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/iam.json
@@ -0,0 +1,37 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "projectEditor:k8s-staging-test-infra",
+        "projectOwner:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:k8s-staging-test-infra"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "allUsers"
+      ],
+      "role": "roles/storage.objectViewer"
+    }
+  ]
+}
diff --git a/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/logging.txt b/audit/projects/k8s-staging-test-infra/buckets/k8s-staging-test-infra/logging.txt
@@ -0,0 +1 @@
+gs://k8s-staging-test-infra/ has no logging configuration.
diff --git a/audit/projects/k8s-staging-test-infra/description.json b/audit/projects/k8s-staging-test-infra/description.json
@@ -0,0 +1,11 @@
+{
+  "createTime": "2021-05-04T20:26:34.947Z",
+  "lifecycleState": "ACTIVE",
+  "name": "k8s-staging-test-infra",
+  "parent": {
+    "id": "758905017065",
+    "type": "organization"
+  },
+  "projectId": "k8s-staging-test-infra",
+  "projectNumber": "958928310150"
+}
diff --git a/audit/projects/k8s-staging-test-infra/iam.json b/audit/projects/k8s-staging-test-infra/iam.json
@@ -0,0 +1,68 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "serviceAccount:958928310150@cloudbuild.gserviceaccount.com",
+        "serviceAccount:deployer@k8s-prow.iam.gserviceaccount.com",
+        "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+      ],
+      "role": "roles/cloudbuild.builds.builder"
+    },
+    {
+      "members": [
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/cloudbuild.builds.editor"
+    },
+    {
+      "members": [
+        "serviceAccount:service-958928310150@gcp-sa-cloudbuild.iam.gserviceaccount.com"
+      ],
+      "role": "roles/cloudbuild.serviceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:service-958928310150@container-analysis.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containeranalysis.ServiceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containeranalysis.occurrences.viewer"
+    },
+    {
+      "members": [
+        "serviceAccount:service-958928310150@containerregistry.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containerregistry.ServiceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:service-958928310150@gcp-sa-containerscanning.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containerscanning.ServiceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:service-958928310150@gcp-sa-pubsub.iam.gserviceaccount.com"
+      ],
+      "role": "roles/pubsub.serviceAgent"
+    },
+    {
+      "members": [
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/serviceusage.serviceUsageConsumer"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-staging-test-infra@kubernetes.io"
+      ],
+      "role": "roles/viewer"
+    }
+  ],
+  "version": 1
+}
diff --git a/audit/projects/k8s-staging-test-infra/services/enabled.txt b/audit/projects/k8s-staging-test-infra/services/enabled.txt
@@ -0,0 +1,11 @@
+NAME                              TITLE
+cloudbuild.googleapis.com         Cloud Build API
+cloudkms.googleapis.com           Cloud Key Management Service (KMS) API
+containeranalysis.googleapis.com  Container Analysis API
+containerregistry.googleapis.com  Container Registry API
+containerscanning.googleapis.com  Container Scanning API
+logging.googleapis.com            Cloud Logging API
+pubsub.googleapis.com             Cloud Pub/Sub API
+secretmanager.googleapis.com      Secret Manager API
+storage-api.googleapis.com        Google Cloud Storage JSON API
+storage-component.googleapis.com  Cloud Storage
diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json
@@ -2,14 +2,14 @@
   "bindings": [
     {
       "members": [
-        "group:k8s-infra-gcp-org-admins@kubernetes.io"
+        "group:k8s-infra-gcp-org-admins@kubernetes.io",
+        "user:spiffxp@google.com"
       ],
       "role": "roles/storage.admin"
     },
     {
       "members": [
         "group:k8s-infra-cluster-admins@kubernetes.io",
-        "projectEditor:kubernetes-public",
         "projectOwner:kubernetes-public"
       ],
       "role": "roles/storage.legacyBucketOwner"

diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-aws/iam.json
@@ -9,7 +9,6 @@
     {
       "members": [
         "group:k8s-infra-aws-admins@kubernetes.io",
-        "projectEditor:kubernetes-public",
         "projectOwner:kubernetes-public"
       ],
       "role": "roles/storage.legacyBucketOwner"

diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-prow-clusters/iam.json
@@ -9,7 +9,6 @@
     {
       "members": [
         "group:k8s-infra-prow-oncall@kubernetes.io",
-        "projectEditor:kubernetes-public",
         "projectOwner:kubernetes-public"
       ],
       "role": "roles/storage.legacyBucketOwner"

diff --git a/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json b/audit/projects/kubernetes-public/buckets/k8s-infra-tf-public-clusters/iam.json
@@ -9,7 +9,6 @@
     {
       "members": [
         "group:k8s-infra-cluster-admins@kubernetes.io",
-        "projectEditor:kubernetes-public",
         "projectOwner:kubernetes-public"
       ],
       "role": "roles/storage.legacyBucketOwner"