-
Notifications
You must be signed in to change notification settings - Fork 818
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit: update as of 2021-05-24 #2074
Conversation
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
b6f6798
to
4edf7f1
Compare
7f21ea6
to
42d955d
Compare
64e50f5
to
76d9395
Compare
a113308
to
caa494f
Compare
/ok-to-test FWIW, I tried using GitHub's compare view to see if I could tell why exactly it was pushing, e.g. for
I used b62feb8...a113308 Some of the changes that shows were definitely not enacted within the last 16 hours. That still looks like the final commit to main. |
@@ -9,7 +9,6 @@ cloudtrace.googleapis.com Cloud Trace API | |||
compute.googleapis.com Compute Engine API | |||
containeranalysis.googleapis.com Container Analysis API | |||
containerregistry.googleapis.com Container Registry API | |||
containerscanning.googleapis.com Container Scanning API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expected from #2016
@@ -7,7 +7,6 @@ cloudtrace.googleapis.com Cloud Trace API | |||
compute.googleapis.com Compute Engine API | |||
containeranalysis.googleapis.com Container Analysis API | |||
containerregistry.googleapis.com Container Registry API | |||
containerscanning.googleapis.com Container Scanning API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expected from #2016
Bucket Policy Only setting for gs://k8s-infra-ii-sandbox-bb-test: | ||
Enabled: False | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BobyMCbobs @hh @bernokl @Riaankl was this manually created?
"labels": { | ||
"group": "sig-testing", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expected from #2078
@@ -2,6 +2,7 @@ | |||
"bindings": [ | |||
{ | |||
"members": [ | |||
"group:k8s-infra-ii-coop@kubernetes.io", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Expected from #2078; give someone other that prow-oncall admin access to the secret, it's their secret to begin with. However, prow-oncall remains for break-glass purposes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI as a followup @hh I'm manually deleting your user:
binding; it's redundant since you're part of the above group.
Plus, just trying to prune user:
bindings in general; if it's important enough for a person to have access, it's important enough for a group to have access and hold each other accountable.
$ gcloud secrets --project=k8s-infra-prow-build-trusted remove-iam-policy-binding cncf-ci-github-token --member=user:hh@ii.coop --role=roles/secretmanager.admin
Updated IAM policy for secret [cncf-ci-github-token].
bindings:
- members:
- group:k8s-infra-ii-coop@kubernetes.io
- group:k8s-infra-prow-oncall@kubernetes.io
role: roles/secretmanager.admin
etag: BwXDGOENV5g=
version: 1
{ | ||
"createTime": "2021-05-21T18:03:26.516649Z", | ||
"etag": "\"15c2dae05eb9a9\"", | ||
"name": "projects/180382678033/secrets/cncf-ci-token", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah whoops, this was me running scripts from #2078 when they had a typo in them.
Manually deleting:
$ gcloud secrets delete --project=k8s-infra-prow-build-trusted cncf-ci-token
Deleted secret [cncf-ci-token]
"bindings": [ | ||
{ | ||
"members": [ | ||
"group:k8s-infra-prow-oncall@kubernetes.io" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now out of date per #2078 (comment), will expect a followup audit PR to change this to include the group introduced in #2085
@@ -1,7 +1,8 @@ | |||
{ | |||
"createTime": "2021-02-11T04:21:30.200768Z", | |||
"etag": "\"15bb07da9956c0\"", | |||
"etag": "\"15c2db0d2d7401\"", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
etag noise, ref: #2062
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Audit Updates wg-k8s-infra