Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit: update as of 2021-05-24 #2074

Merged
merged 1 commit into from
May 24, 2021
Merged

audit: update as of 2021-05-24 #2074

merged 1 commit into from
May 24, 2021

Conversation

cncf-ci
Copy link
Contributor

@cncf-ci cncf-ci commented May 21, 2021

Audit Updates wg-k8s-infra

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 21, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/audit Audit of project resources, audit followup issues, code in audit/ wg/k8s-infra labels May 21, 2021
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 21, 2021
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 21, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 2 times, most recently from b6f6798 to 4edf7f1 Compare May 21, 2021 19:15
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 21, 2021
@cncf-ci cncf-ci changed the title audit: update as of 2021-05-21 audit: update as of 2021-05-22 May 22, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from 7f21ea6 to 42d955d Compare May 22, 2021 19:13
@cncf-ci cncf-ci changed the title audit: update as of 2021-05-22 audit: update as of 2021-05-23 May 23, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 4 times, most recently from 64e50f5 to 76d9395 Compare May 23, 2021 19:02
@cncf-ci cncf-ci changed the title audit: update as of 2021-05-23 audit: update as of 2021-05-24 May 24, 2021
@cncf-ci cncf-ci force-pushed the autoaudit-prow branch 3 times, most recently from a113308 to caa494f Compare May 24, 2021 13:04
@spiffxp
Copy link
Member

spiffxp commented May 24, 2021

/ok-to-test
The job still appears to be pushing more than it needs to. I suspect it's etags on the secrets (ref: #2062)

FWIW, I tried using GitHub's compare view to see if I could tell why exactly it was pushing, e.g. for

@cncf-ci cncf-ci force-pushed the cncf-ci:autoaudit-prow branch 2 times, most recently from b62feb8 to a113308 16 hours ago

I used b62feb8...a113308

Some of the changes that shows were definitely not enacted within the last 16 hours. That still looks like the final commit to main.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 24, 2021
@spiffxp spiffxp mentioned this pull request May 24, 2021
Closed
spiffxp
spiffxp approved these changes May 24, 2021
View reviewed changes
audit/projects/k8s-artifacts-prod/services/enabled.txt
@@ -9,7 +9,6 @@ cloudtrace.googleapis.com Cloud Trace API
compute.googleapis.com Compute Engine API
containeranalysis.googleapis.com Container Analysis API
containerregistry.googleapis.com Container Registry API
containerscanning.googleapis.com Container Scanning API
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected from #2016

audit/projects/k8s-cip-test-prod/services/enabled.txt
@@ -7,7 +7,6 @@ cloudtrace.googleapis.com Cloud Trace API
compute.googleapis.com Compute Engine API
containeranalysis.googleapis.com Container Analysis API
containerregistry.googleapis.com Container Registry API
containerscanning.googleapis.com Container Scanning API
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected from #2016

audit/projects/k8s-infra-ii-sandbox/buckets/k8s-infra-ii-sandbox-bb-test/bucketpolicyonly.txt
Comment on lines +1 to +3
Bucket Policy Only setting for gs://k8s-infra-ii-sandbox-bb-test:
Enabled: False

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BobyMCbobs @hh @bernokl @Riaankl was this manually created?

audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json
"labels": {
"group": "sig-testing",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected from #2078

audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/iam.json
@@ -2,6 +2,7 @@
"bindings": [
{
"members": [
"group:k8s-infra-ii-coop@kubernetes.io",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expected from #2078; give someone other that prow-oncall admin access to the secret, it's their secret to begin with. However, prow-oncall remains for break-glass purposes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI as a followup @hh I'm manually deleting your user: binding; it's redundant since you're part of the above group.

Plus, just trying to prune user: bindings in general; if it's important enough for a person to have access, it's important enough for a group to have access and hold each other accountable.

$ gcloud secrets --project=k8s-infra-prow-build-trusted remove-iam-policy-binding cncf-ci-github-token --member=user:hh@ii.coop --role=roles/secretmanager.admin
Updated IAM policy for secret [cncf-ci-github-token].
bindings:
- members:
  - group:k8s-infra-ii-coop@kubernetes.io
  - group:k8s-infra-prow-oncall@kubernetes.io
  role: roles/secretmanager.admin
etag: BwXDGOENV5g=
version: 1

audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-token/description.json
{
"createTime": "2021-05-21T18:03:26.516649Z",
"etag": "\"15c2dae05eb9a9\"",
"name": "projects/180382678033/secrets/cncf-ci-token",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah whoops, this was me running scripts from #2078 when they had a typo in them.

Manually deleting:

$ gcloud secrets delete --project=k8s-infra-prow-build-trusted cncf-ci-token
Deleted secret [cncf-ci-token]

audit/projects/k8s-infra-prow-build-trusted/secrets/snyk-token/iam.json
"bindings": [
{
"members": [
"group:k8s-infra-prow-oncall@kubernetes.io"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now out of date per #2078 (comment), will expect a followup audit PR to change this to include the group introduced in #2085

audit/projects/k8s-infra-prow-build-trusted/secrets/cncf-ci-github-token/description.json
@@ -1,7 +1,8 @@
{
"createTime": "2021-02-11T04:21:30.200768Z",
"etag": "\"15bb07da9956c0\"",
"etag": "\"15c2db0d2d7401\"",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

etag noise, ref: #2062

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 24, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 24, 2021
@spiffxp spiffxp mentioned this pull request May 24, 2021
Merged
@k8s-ci-robot k8s-ci-robot merged commit c654afb into kubernetes:main May 24, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffxp spiffxp spiffxp approved these changes

@nikhita nikhita Awaiting requested review from nikhita

Assignees

@spiffxp spiffxp

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit Audit of project resources, audit followup issues, code in audit/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@cncf-ci @k8s-ci-robot @spiffxp