Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit followup: k8s-infra GCP projects shouldn't have random services enabled #1887

Open
spiffxp opened this issue Apr 8, 2021 · 12 comments
Open

audit followup: k8s-infra GCP projects shouldn't have random services enabled #1887

spiffxp opened this issue Apr 8, 2021 · 12 comments
Assignees
@spiffxp
Labels
area/audit Audit of project resources, audit followup issues, code in audit/ kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.

Comments

@spiffxp
Copy link
Member

spiffxp commented Apr 8, 2021

This is a followup to #1675 which was focused just on k8s-staging-* GCP projects

While I haven't found docs for it, I am told that over-privileged users (e.g. organization admins) who use the UI are capable of auto-enabling services as they click from project-to-project or service-to-service. I think I often run into this when I'm using a service in my personal project, and then switch to a kubernetes.io project.

#1859 adds an ensure_only_services "${project}" "${services[@]}" function to auto-disable services that were directly specified, or direct dependencies of what was specified. I wasn't comfortable enabling it by default for everything, and I didn't want to rewrite ensure-prod-storage.sh just yet.

This issue is intended to cover:

  • determining what set of services we think should be enabled by default for a given class/type of project
  • determining how to add in special-case services for a given project (e.g. prod-only, test-only)
  • pruning services until we're sure we have only what we want enabled
  • enabling some mechanism to enforce continually, e.g.
    • remove obnoxiously long env var gate, do it every time ensure_project is run by any human running a script
    • setup a custom script that only prunes services, run a prowjob that does this
    • etc.
@spiffxp
Copy link
Member Author

spiffxp commented Apr 8, 2021

/area infra/auditing

@k8s-ci-robot k8s-ci-robot added the area/audit Audit of project resources, audit followup issues, code in audit/ label Apr 8, 2021
@spiffxp spiffxp mentioned this issue Apr 8, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Apr 8, 2021

As part of #1890 I'm looking at k8s-conform's services. This project should be storage-only, so definitely going to disable compute

k8s-conform:
  intent:
    - secretmanager.googleapis.com
    - storage-api.googleapis.com
    - storage-component.googleapis.com
  enabled:
    - compute.googleapis.com
    - oslogin.googleapis.com
    - secretmanager.googleapis.com
    - storage-api.googleapis.com
    - storage-component.googleapis.com
  expected:
    - secretmanager.googleapis.com
    - storage-api.googleapis.com
    - storage-component.googleapis.com
  to_enable: []
  to_disable:
    - compute.googleapis.com
    - oslogin.googleapis.com

@spiffxp
Copy link
Member Author

spiffxp commented Apr 9, 2021

#1890 (comment) removed extraneous services for k8s-conform

@spiffxp
Copy link
Member Author

spiffxp commented May 19, 2021

I was looking into whether terraform could make this any easier... and it does not. They used to have a google_project_services resource, but ended up deprecating and deleting it, ref: hashicorp/terraform-provider-google#4587

I'm iterating on an attempt to make ensure_only_services work a little better over in #2016 to close out #1963

@spiffxp
Copy link
Member Author

spiffxp commented May 19, 2021

/kind cleanup
/priority important-longterm
/assign
I'll self assign since I'm noodling. But I could use some help, especially suggestions or prior art.

Ultimately I think the future here is a golang tool or something akin to crossplane rather than the ludicrous bash/jq I have going on

@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels May 19, 2021
@ameukam
Copy link
Member

ameukam commented May 19, 2021

Ultimately I think the future here is a golang tool or something akin to crossplane rather than the ludicrous bash/jq I have going on

I started to take a look at CRDs provided by config-connector : https://cloud.google.com/config-connector/docs/concepts/resources.
Planned to do a parallel to #1885.

@spiffxp spiffxp mentioned this issue May 19, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Jun 15, 2021

From a freshly provisioned project (ref: #2195 (comment))

The existing bash/jq is not walking deps enough. None of the services should be unexpected after this first call.

    plan to enable/disable the following services
    to_enable:
      - compute.googleapis.com
      - containerregistry.googleapis.com
      - logging.googleapis.com
      - monitoring.googleapis.com
      - storage-component.googleapis.com
    to_disable: []
    Operation "operations/acf.p2-783965148085-e3561dac-7684-4ec5-8a4e-087848353038" finished successfully.
    Operation "operations/acf.p2-783965148085-73b68eda-a5fc-45e5-a827-90df93bfa3ef" finished successfully.
    Operation "operations/acf.p2-783965148085-69a4fc7c-d39b-44da-9978-eb05e6bd4abc" finished successfully.
    Operation "operations/acf.p2-783965148085-17922383-9f5a-4e41-b070-fb6d703dc45f" finished successfully.
    Operation "operations/acf.p2-783965148085-de4f0675-e9d1-4b66-8fd6-9ecf662d56cd" finished successfully.
    "INFO: dry-run mode, would run:" gcloud services disable --force oslogin.googleapis.com --project=k8s-infra-e2e-scale-5k-project
    "INFO: dry-run mode, would run:" gcloud services disable --force pubsub.googleapis.com --project=k8s-infra-e2e-scale-5k-project
    "INFO: dry-run mode, would run:" gcloud services disable --force storage-api.googleapis.com --project=k8s-infra-e2e-scale-5k-project
    WARN: ensure_only_services: after enable/disable cycle, still projects to enable/disable: k8s-infra-e2e-scale-5k-project
    intent:
      - compute.googleapis.com
      - containerregistry.googleapis.com
      - logging.googleapis.com
      - monitoring.googleapis.com
      - storage-component.googleapis.com
    enabled:
      - compute.googleapis.com
      - containerregistry.googleapis.com
      - logging.googleapis.com
      - monitoring.googleapis.com
      - oslogin.googleapis.com
      - pubsub.googleapis.com
      - storage-api.googleapis.com
      - storage-component.googleapis.com
    expected:
      - compute.googleapis.com
      - containerregistry.googleapis.com
      - logging.googleapis.com
      - monitoring.googleapis.com
      - storage-component.googleapis.com
    to_enable: []
    to_disable:
      - oslogin.googleapis.com
      - pubsub.googleapis.com
      - storage-api.googleapis.com

I have a much gnarler set of jq lurking somewhere, I've been afraid to PR it since maybe it takes us too far in an unmaintainable direction. But I'm pretty sure it handles this correctly. I'll see if I can dig it up.

@spiffxp
Copy link
Member Author

spiffxp commented Jul 28, 2021

So I don't know when this happened, but it appears that gcloud services list no longer includes dependency information.

That's gonna put a real damper on automating an audit of this.

@spiffxp spiffxp mentioned this issue Jul 28, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Aug 17, 2021

/milestone v1.23
I would like to at least get a picture of how random the enabled services are

@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Aug 17, 2021
@k8s-ci-robot k8s-ci-robot added sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. and removed wg/k8s-infra labels Sep 29, 2021
@ameukam
Copy link
Member

ameukam commented Dec 14, 2021

/milestone v1.24

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.23, v1.24 Dec 14, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 14, 2022
@ameukam
Copy link
Member

ameukam commented Mar 15, 2022

/remove-lifecycle stale
/lifecycle frozen
/milestone clear

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 15, 2022
@k8s-ci-robot k8s-ci-robot removed this from the v1.24 milestone Mar 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffxp spiffxp

Labels
area/audit Audit of project resources, audit followup issues, code in audit/ kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spiffxp @ameukam @k8s-ci-robot @k8s-triage-robot