Manage organization roles

[spiffxp]

This addresses most of #1659

To do so I added a script to generate roles out of other roles/permissions (#1656).

A role spec looks like the following:

# role name, e.g.
name: "foo.bar"
# human readable title for the role, e.g.
title: "Foo Barrer"
# human readable description for the role, e.g. 
description: "Allows doing Bar on Foo resources"
# include permissions from the following...
include:
  # a list of permissions, e.g.
  permissions:
  - foo.bar.doSomething
  # a list of roles, e.g.
  roles:
  - roles/foo.bar
  # only include permissions matching any extended regex in this list, e.g.
  permissionRegxes:
  - ^foo.bar.(get|list)
exclude:
  # exclude any permissions matching any extended regex in this list, e.g.
  permissionRegexes:
  - SuperDangerousOperation$

Sadly, I did this with bash and yq. Redoing this with go would be a great help-wanted.

Updates the following managed org roles:

• prow.viewer - Auditing roles/viewer from k8s-infra-e2e-prow-viewers@ made me realize they don't have view access to buckets in most e2e projects. Now they will.

Adds the following previously unmanaged org roles:

• CustomRole - not a good name, but held off on migrating to better name until I get some historical context
• StorageBucketLister - this can go away once audit.viewer is live

Adds the following new managed org roles:

• audit.viewer - replace the sundry bindings used by k8s-infra-gcp-auditors@
  • I ran the script this far already to vet the effective permissions before and after look good (https://gist.github.com/spiffxp/7d2bfaa9c510de89a7f2ce1c31ec1a00)
• organization.admin - replace the sundry non-roles/owner bindings used by k8s-infra-gcp-org-admins@
  • not running the script to deploy this until I've gotten review

There is a little more followup I would like to do to close out #1659, but not in this PR:

• pull the ServiceAccountLister role out of projects and up into the org (but keep the binding(s) project level)
• remove StorageBucketLister unless there's a reason to keep it around
• remove the detritus cleanup code marked with TODO's
• setup a periodic job to refresh the custom roles to pick up new permissions that are added over time

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[spiffxp]

/uncc @bartsmykla @mikedanese
/cc @ameukam @cblecker @dims
/assign @thockin

[dims]

I like the idea! but don't know enough GCP stuff to review thoroughly. +1 to ship and iterate too!

[spiffxp]

Rebased due to #1733

[ameukam]

/lgtm
(I blindly trust Aaron as a Bash Fighter. 😃)

[ameukam]

/hold
Un-hold when you're ready.

[spiffxp]

/hold cancel

[spiffxp]

Using the same process as https://gist.github.com/spiffxp/7d2bfaa9c510de89a7f2ce1c31ec1a00, I removed the early exit and ran ./infra/gcp/ensure-organization.sh

The resulting diff for k8s-infra-gcp-org-admins' permissions looks expected; nothing lost, and resourecemanager.folder permissions gained.

$ diff org-admin-permissions-{before,after}.txt
3460a3461,3462
> - resourcemanager.folders.create
> - resourcemanager.folders.delete
3463a3466
> - resourcemanager.folders.move
3464a3468,3469
> - resourcemanager.folders.undelete
> - resourcemanager.folders.update

[spiffxp]

/kind feature
/kind cleanup
/area infra/auditing
tagging issues/PRs related to audit followup