results of running audit script as of 2021-01-13 #1534
Conversation
specifically: - one for each "special" pool of projects - ingress, gpu, scale - intended to match equivalent k8s-infra-e2e-boskos projects
changes reflected in here include: - add k8s-infra-prow-viewers@ - add k8s-infra-prow-oncall@ - quotas updated out of band - add ssh-keys (added by kubetest2)
specifically: - enable secretmanager - enable serviceusage - reflect quota updates done out of band - reflect automated cluster changes done out of band
specifically: - windows-remote-docker_ca-pem - windows-remote-docker_cert-pem - windows-remote-docker_key-pem
specifically: - create the service account - bind to trusted prow via workload identity - empower SA to deploy to prow build clusters
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
wg/k8s-infra
approved
also drop permissions given to related kubernetes.io group
k8s-ci-robot
added
the
cncf-cla: yes
specifically: - k8s-staging-addon-manager - k8s-staging-bootkube - k8s-staging-boskos - k8s-staging-ci-images - k8s-staging-cloud-provider-gcp - k8s-staging-cluster-addons - k8s-staging-cri-tools - k8s-staging-etcdadm - k8s-staging-examples - k8s-staging-git-sync - k8s-staging-ingress-nginx - k8s-staging-ingressconformance - k8s-staging-gsm-tools - k8s-staging-kustomize - k8s-staging-mirror - k8s-staging-networking - k8s-staging-provider-aws - k8s-staging-scheduler-plugins - k8s-staging-sig-docs - k8s-staging-sig-storage - k8s-staging-sp-operator - k8s-staging-storage-migrate
specifically - enable containeranalysis - enable containerscanning - enable secretmanager - give k8s-infra-gcr-vuln-scanning SA containeranalysis viewer role
specifically: - add k8s-conform-s390x-k8s bucket, SA for write, key in secretmanager - add k8s-conform-inspur
specifically: - restrict access to gsuite-groups-manager_key to serviceaccount - allow k8s-infra-prow-build-trusted to run as SA via workload identity
|
@spiffxp I will take a look at this over the weekend |
|
/uncc @justaugustus |
k8s-ci-robot
requested review from
thockin
and removed request for
justaugustus
| }, | ||
| { | ||
| "members": [ | ||
| "user:davanum@gmail.com" |
There was a problem hiding this comment.
All LGTM I think, it took some time to go over all the files related, but I did not see anything that calls my attention
just one comment, in several iam.json files we only see one "roles/owner" it is not better to have at least one more for backup in case it is needed? or this is expected? (asking because might be discussed before to be like this)
There was a problem hiding this comment.
Whoever runs the script that creates a project gets assigned as owner (we have a bug open about this #299). Org owners implicitly get owner on projects within the org, so we're available for fallback.
I believe the thinking goes: don't give owner access to projects, thereby requiring a gitops workflow for things like changing iam permissions. It's just unfortunate that the execution part of our gitops model is currently "humans run scripts" vs. bots.
There was a problem hiding this comment.
thanks for the clarification Aaron
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cpanato, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/assign @thockin |
|
This is now N weeks out of date. I'd like to re-run audit and add some more commits to this, or merge this as-is and do a followup PR. @hh is making progress on an automated CI job (kubernetes/test-infra#20742) but I'd like to get us to a smaller more digestible delta before we accept PR's from that job. If we close this PR and wait for that job to work, we're going to land something larger than this PR, but with one commit. I don't want to review that. |
|
I am re-running audit.sh and will add commits to this. I'm thinking maybe it's best to leave the questionable changes listed in |
| @@ -72,6 +72,8 @@ | |||
| "group:k8s-infra-gcp-org-admins@kubernetes.io", | |||
| "user:domain-admin-lf@kubernetes.io", | |||
| "user:ihor@cncf.io", | |||
| "user:spiffxp@google.com", | |||
There was a problem hiding this comment.
We shouldn't need these (since we have group:k8s-infra-gcp-org-admins@kubernetes.io). But they are OK as a "safety".
There was a problem hiding this comment.
Yup, "safety" is why they're explicitly defined here, is there someplace we should doc this?
| ], | ||
| "name": "organizations/758905017065/roles/prow.viewer", | ||
| "stage": "ALPHA", | ||
| "title": "Prow Viewer" |
There was a problem hiding this comment.
I find nothing in our repo setting this up. Aaron, your fingerprint is in the access log. We should set up a script or terraform to sync the org.
| @@ -0,0 +1,11 @@ | |||
| { | |||
There was a problem hiding this comment.
I wrote a quick script to diff all 30 of these.
06-30 have higher quotas than 01-05.
Not enough to abort this audit, but worth noting. Issue filed
| @@ -0,0 +1,11 @@ | |||
| { | |||
There was a problem hiding this comment.
I ran a script to diff these and it was clean.
| @@ -0,0 +1,11 @@ | |||
| { | |||
There was a problem hiding this comment.
I ran a script to diff these again 001.
41 + are missing the IAM binding:
{
"members": [
"group:k8s-infra-prow-viewers@kubernetes.io"
],
"role": "roles/viewer"
}
| @@ -22,6 +22,32 @@ | |||
| }, | |||
| { | |||
| "members": [ | |||
| "serviceAccount:service-675573440409@compute-system.iam.gserviceaccount.com" | |||
There was a problem hiding this comment.
Almost certainly what happened was that you or I or someone with "enough" privs clicked on the "compute" tab while in this project (that's my default tab) and it "helpfully" enables the service. Sigh. We should just go and disable it in the script. so it will get cleaned up on every run.
| @@ -20,6 +20,24 @@ | |||
| ], | |||
| "role": "roles/cloudbuild.serviceAgent" | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
See comment on compute. I suspect the same, but I have less evidence). We should nuke it.
| @@ -20,10 +20,42 @@ | |||
| ], | |||
| "role": "roles/cloudbuild.serviceAgent" | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
given your explanation for "I clicked on console and this happens automatically" this is almost undoubtedly my fault, I navigate these services all the time on a number of projects
added to #1675
| @@ -0,0 +1,8 @@ | |||
| { | |||
| "displayName": "App Engine default service account", | |||
There was a problem hiding this comment.
Maybe something to do with promoter? Can't think of a reason
There was a problem hiding this comment.
I have been in app engine before (looking at gubernator), it's possible this is the same deal as everything else in #1675
I'm surprised clicking around on console auto-activates services. Is it because our accounts are over-privileged? I'd rather see a "nope, you can't use this because the API isn't enabled for this project"
| @@ -18,6 +18,12 @@ | |||
| ], | |||
| "role": "roles/bigquery.jobUser" | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
Maybe related to promoter? @listx may know.
|
Yes, it's because people like you can do anything. :(
…On Wed, Feb 17, 2021 at 4:04 PM Aaron Crickenberger < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In
***@***.***/description.json
<#1534 (comment)>:
> @@ -0,0 +1,8 @@
+{
+ "displayName": "App Engine default service account",
I have been in app engine before (looking at gubernator), it's possible
this is the same deal as everything else in #1675
<#1675>
I'm surprised clicking around on console auto-activates services. Is it
because our accounts are over-privileged? I'd rather see a "nope, you can't
use this because the API isn't enabled for this project"
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#1534 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVESVW7JIUKVPUAGPU3S7RKSHANCNFSM4WDMGRCA>
.
|
spiffxp
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Forget what I said in #1534 (comment) I did re-run audit, but I'd rather save those for another PR. And since we've opened a bunch of followup issues for the So... looking for lgtm? |
|
/lgtm ( i checked all the previous comments ... no, i did not go through 38k lines! ) |
k8s-ci-robot
added
the
lgtm
It's been way too long since this was last run and the results checked in. Last commit to
audit/is dated 2020-05-06. So this is ~7mo of changesI tried to group changes into logical commits, but I won't be able to exhaustively tie each commit back to the issues/PRs that spawned it.
This is WIP because I want to either resolve or open up followup issues for commits that have
QQorTODOin their messages.I really, really, really want us to get this running and automatically PR'ed by prow (ref: #244). Current state of affairs is broken.