Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grant GKE service account "Container Analysis Occurrences Viewer" role #803

Closed
listx opened this issue Apr 24, 2020 · 7 comments
Closed

Grant GKE service account "Container Analysis Occurrences Viewer" role #803

listx opened this issue Apr 24, 2020 · 7 comments
Labels
area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@listx
Copy link
Contributor

listx commented Apr 24, 2020
edited
Loading

It appears that Container Analysis Service is already turned on for k8s-artifacts-prod. But in order to consume this information (e.g., cloud vendors such as GKE), the "Container Analysis Occurrences Viewer" role must be granted to the vendor. For GKE, the service account that needs this role is vulnerability@gke-release-staging.iam.gserviceaccount.com.

/cc @thockin @destijl @simony-gke
@listx
Copy link
Contributor Author

listx commented Apr 24, 2020
edited
Loading

I think ultimately the PR for this boils down to adding another special-cased grant in infra/gcp/ensure-prod-storage.sh, but I wonder if we need to think about separating permissions tied to vendor-specific needs (third party organizations) to a separate script or separate hierarchical system. AFAIK all of the current grants deal with community groups (such as the artifact admins), not third parties.

@thockin
Copy link
Member

thockin commented Apr 28, 2020

I wonder if we can turn that into pub-sub or something less intrusive

@spiffxp spiffxp mentioned this issue Apr 28, 2020
Closed
@spiffxp spiffxp added area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects labels Apr 28, 2020
@listx
Copy link
Contributor Author

listx commented Apr 29, 2020

I wonder if we can turn that into pub-sub or something less intrusive

Do you mean adding a pub-sub layer and letting third parties consume those pub-sub messages (instead of having direct access as Container Analysis Occurrences Viewer)?

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 28, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 27, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/artifacts Issues or PRs related to the hosting of release artifacts for subprojects lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@spiffxp @listx @thockin @k8s-ci-robot @fejta-bot