audit: update as of 2021-03-11

[cncf-ci]

Audit Updates wg-k8s-infra

[k8s-ci-robot]

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

This is the noise described in #1751 that we should address (at some point)

So ok we're probably going to be seeing noise in our boskos projects until we resolve a few followup issues.

/hold
I'm not going to merge this because I want to confirm whether this auto-bumps with new changes during the next run

[spiffxp]

/ok-to-test

[spiffxp]

+8 −32,555

Uhhhhhh

So after I had a mini heart attack, I browsed around real quick.

I'm reasonably confident the projects are all still present.

$ gcloud projects list --filter="parent.id=758905017065" --format="table(lifecycleState,projectId)" | grep ACTIVE | wc -l
     245

My account in k8s-infra-gcp-org-admins@ can no longer see all of the k8s-infra-e2e projects in GCP console. There are some k8s-infra-e2e-boskos-scale and k8s-staging projects I still happen to be on as roles/owner, and I can see those in the console.

My account in k8s-infra-prow-oncall@ can see all of the projects in GCP console.

Seems like something is missing for organization.admin and audit.viewer... and that changed within the last 6 hours?

[spiffxp]

ok I'm done looking at this for now, I had hopes that "it happened in the last 6 hours" might make it easier to spot what changed, but I'm beginning to think it's not something I did

• https://cloud.google.com/logging/docs/audit - going to the activity page for the org shows the last thing I did related to IAM was well before the first audit PR
• I tried going to logs explorer as my org admin account, and got a "You are missing one or more permissions required to use the query library. Learn more ."
• I tried giving my account roles/owner directly on the org, same thing
• I tried giving my account roles/logging.viewer directly on the org, same thing

[spiffxp]

+35 −37

Yup, and just like that, audit thinks projects are all back. Which they are, because they never went away.

[spiffxp]

/approve
/lgtm
/hold
This PR contains mostly updates to ssh-keys #1751, I'd rather hold it open until we resolve that.

But remove /hold if you feel differently

[hh]

@spiffxp note that we have a few more force, pushes and title updates. Latest one was 4 hours ago.

[spiffxp]

/hold cancel
/approve
/lgtm
everything is ssh key noise unless otherwise noted; I've bumped priority on #1751 (comment)

[spiffxp]

Hmmm I'm not sure I recall doing this

[spiffxp]

Last log entry I can find in the org's activity log was 2020-03-01, specifically adding this binding.

I also wouldn't be surprised if this is another IAM blip. This isn't a critical binding or role, I actually want to delete it anyway. So I'm going to opt to merge, and we'll see if these mysteriously show back up in the next audit PR

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment