add exploration of enabled services

audit/README.md

@@ -3,7 +3,7 @@
 ## Status
 
 WIP. Members of k8s-infra-gcp-auditors should be able to run this script to submit an audit PR. 
-Note this is an Audit of current configuration, not a requset for change.
+Note this is an Audit of current configuration, not a request for change.
 
 ## How to become an auditor
 

audit/audit-gcp.sh

@@ -15,17 +15,74 @@ do
     gcloud projects list \
            --filter "parent.id=$CNCF_GCP_ORG" \
            --format "value(name, projectNumber)" \
-        | while read NAME NUM; do \
-        gcloud projects get-iam-policy $NAME --format=$format > $NAME.policy.$format
-        gcloud iam roles list --project=$NAME --format=$format > $NAME.roles.$format
-        mkdir -p roles
-        for ROLE_PATH in `gcloud --project=$NAME iam roles list --format="value(name)"`
+        | while read PROJECT NUM; do \
+        export CLOUDSDK_CORE_PROJECT=$PROJECT
+        gcloud projects get-iam-policy $PROJECT --format=$format > $PROJECT.policy.$format
+        gcloud iam roles list --project $PROJECT --format=$format > $PROJECT.roles.$format
+        mkdir -p $PROJECT.roles
+        for ROLE_PATH in `gcloud iam roles list --project $PROJECT --format="value(name)"`
         do
             ROLE=`basename $ROLE_PATH`
-            gcloud --project=$NAME iam roles describe $ROLE \
-                   --format=json > roles/$ROLE.json
+            gcloud iam roles --project=$PROJECT describe $ROLE \
+                   --format=json > $PROJECT.roles/$ROLE.json
+        done
+        gcloud services list --filter state:ENABLED --format=$format > $PROJECT.services.$format
+        for service in `gcloud services list --filter state:ENABLED --format=json | jq -r .[].config.name`
+        do
+            case $service in
+                compute.googleapis.com)
+                    echo TODO: Needs compute.projects.get
+                    #### gcloud compute project-info describe
+                    gcloud compute instances list --format=$format > $PROJECT.compute.instances.$format
+                    gcloud compute disks list --format=$format > $PROJECT.compute.disks.$format
+                    # I'm ensure why we see this when container.googleapis.com is DISABLED
+                    gcloud container clusters list --format=$format > $PROJECT.clusters.$format
+                ;;
+                dns.googleapis.com)
+                    mkdir -p dns
+                    gcloud dns project-info describe $PROJECT --format=$format > dns/$PROJECT.info.$format
+                    gcloud dns managed-zones list --format=$format > dns/$PROJECT.zones.$format
+                ;;
+                logging.googleapis.com)
+                    echo TODO: Needs serviceusage.services.use
+                    ##### gcloud logging logs list --format=$format > $PROJECT.logging.logs.$format
+                    ##### gcloud logging metrics list
+                    ##### gcloud logging sinks list
+                ;;
+                monitoring.googleapis.com)
+                    echo TODO: Needs serviceusage.services.use
+                    #### gcloud alpha monitoring policies list
+                    #### gcloud alpha monitoring channels list
+                    #### gcloud alpha monitoring channel-descriptors list
+                ;;
+                oslogin.googleapis.com)
+                    echo TODO: Verify how OS Login is configured / audited
+                ;;
+                bigquery-json.googleapis.com)
+                    echo TODO: Verify how Big Query is configured / audited
+                    ;;
+                storage-api.googleapis.com)
+                    echo TODO: Add storage.buckets.get for auditors
+                    echo ...to kubernetes_public_billing and any newer buckets...
+                    echo TODO: Ensure bucket-policy-only, for simplicity in Auditing
+                    # https://cloud.google.com/storage/docs/bucket-policy-only
+                    mkdir -p buckets
+                    for BUCKET in `gsutil ls -p $PROJECT | awk -F/ '{print $3}'`
+                    do
+                        #### gsutil bucketpolicyonly get gs://$BUCKET/
+                        #### gsutil cors get gs://$BUCKET/
+                        #### gsutil logging get gs://$BUCKET/
+                        gsutil iam get gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.iam.json
+                        gsutil ls -r gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.txt
+                    done
+                ;;
+                storage-component.googleapis.com)
+                ;;
+                *)
+                    echo ***** Unhandled Service $service *****
+                ;;
+            esac
         done
-
     done
 done
 

audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json

@@ -0,0 +1,24 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "projectEditor:kubernetes-public", 
+        "projectOwner:kubernetes-public"
+      ], 
+      "role": "roles/storage.legacyBucketOwner"
+    }, 
+    {
+      "members": [
+        "projectViewer:kubernetes-public"
+      ], 
+      "role": "roles/storage.legacyBucketReader"
+    }, 
+    {
+      "members": [
+        "serviceAccount:509219875288-kscf0cheafmf4f6tp1auij5me8qakbin@developer.gserviceaccount.com"
+      ], 
+      "role": "roles/storage.legacyBucketWriter"
+    }
+  ], 
+  "etag": "CAU="
+}

audit/dns/k8s-infra-dev-cluster-turnup.info.json

@@ -0,0 +1,49 @@
+{
+  "id": "k8s-infra-dev-cluster-turnup",
+  "kind": "dns#project",
+  "number": "396460694993",
+  "quota": {
+    "dnsKeysPerManagedZone": 4,
+    "kind": "dns#quota",
+    "managedZones": 10000,
+    "managedZonesPerNetwork": 10000,
+    "networksPerManagedZone": 100,
+    "resourceRecordsPerRrset": 100,
+    "rrsetAdditionsPerChange": 1000,
+    "rrsetDeletionsPerChange": 1000,
+    "rrsetsPerManagedZone": 10000,
+    "totalRrdataSizePerChange": 100000,
+    "whitelistedKeySpecs": [
+      {
+        "algorithm": "ecdsap256sha256",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "ecdsap384sha384",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha256",
+        "keyLength": 2048,
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha256",
+        "keyLength": 1024,
+        "keyType": "zoneSigning",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha512",
+        "keyLength": 2048,
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha512",
+        "keyLength": 1024,
+        "keyType": "zoneSigning",
+        "kind": "dns#dnsKeySpec"
+      }
+    ]
+  }
+}

audit/dns/k8s-infra-dev-cluster-turnup.info.yaml

@@ -0,0 +1,33 @@
+id: k8s-infra-dev-cluster-turnup
+kind: dns#project
+number: '396460694993'
+quota:
+  dnsKeysPerManagedZone: 4
+  kind: dns#quota
+  managedZones: 10000
+  managedZonesPerNetwork: 10000
+  networksPerManagedZone: 100
+  resourceRecordsPerRrset: 100
+  rrsetAdditionsPerChange: 1000
+  rrsetDeletionsPerChange: 1000
+  rrsetsPerManagedZone: 10000
+  totalRrdataSizePerChange: 100000
+  whitelistedKeySpecs:
+  - algorithm: ecdsap256sha256
+    kind: dns#dnsKeySpec
+  - algorithm: ecdsap384sha384
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha256
+    keyLength: 2048
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha256
+    keyLength: 1024
+    keyType: zoneSigning
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha512
+    keyLength: 2048
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha512
+    keyLength: 1024
+    keyType: zoneSigning
+    kind: dns#dnsKeySpec

audit/dns/k8s-infra-dev-cluster-turnup.zones.json

@@ -0,0 +1 @@
+[]

audit/dns/kubernetes-public.info.json

@@ -0,0 +1,49 @@
+{
+  "id": "kubernetes-public",
+  "kind": "dns#project",
+  "number": "127754664067",
+  "quota": {
+    "dnsKeysPerManagedZone": 4,
+    "kind": "dns#quota",
+    "managedZones": 10000,
+    "managedZonesPerNetwork": 10000,
+    "networksPerManagedZone": 100,
+    "resourceRecordsPerRrset": 100,
+    "rrsetAdditionsPerChange": 1000,
+    "rrsetDeletionsPerChange": 1000,
+    "rrsetsPerManagedZone": 10000,
+    "totalRrdataSizePerChange": 100000,
+    "whitelistedKeySpecs": [
+      {
+        "algorithm": "ecdsap256sha256",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "ecdsap384sha384",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha256",
+        "keyLength": 2048,
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha256",
+        "keyLength": 1024,
+        "keyType": "zoneSigning",
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha512",
+        "keyLength": 2048,
+        "kind": "dns#dnsKeySpec"
+      },
+      {
+        "algorithm": "rsasha512",
+        "keyLength": 1024,
+        "keyType": "zoneSigning",
+        "kind": "dns#dnsKeySpec"
+      }
+    ]
+  }
+}

audit/dns/kubernetes-public.info.yaml

@@ -0,0 +1,33 @@
+id: kubernetes-public
+kind: dns#project
+number: '127754664067'
+quota:
+  dnsKeysPerManagedZone: 4
+  kind: dns#quota
+  managedZones: 10000
+  managedZonesPerNetwork: 10000
+  networksPerManagedZone: 100
+  resourceRecordsPerRrset: 100
+  rrsetAdditionsPerChange: 1000
+  rrsetDeletionsPerChange: 1000
+  rrsetsPerManagedZone: 10000
+  totalRrdataSizePerChange: 100000
+  whitelistedKeySpecs:
+  - algorithm: ecdsap256sha256
+    kind: dns#dnsKeySpec
+  - algorithm: ecdsap384sha384
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha256
+    keyLength: 2048
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha256
+    keyLength: 1024
+    keyType: zoneSigning
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha512
+    keyLength: 2048
+    kind: dns#dnsKeySpec
+  - algorithm: rsasha512
+    keyLength: 1024
+    keyType: zoneSigning
+    kind: dns#dnsKeySpec

audit/dns/kubernetes-public.zones.json

@@ -0,0 +1,96 @@
+[
+  {
+    "creationTime": "2018-10-09T16:18:27.446Z",
+    "description": "",
+    "dnsName": "canary.k8s.io.",
+    "id": "7690509341659612964",
+    "kind": "dns#managedZone",
+    "name": "canary-k8s-io",
+    "nameServers": [
+      "ns-cloud-c1.googledomains.com.",
+      "ns-cloud-c2.googledomains.com.",
+      "ns-cloud-c3.googledomains.com.",
+      "ns-cloud-c4.googledomains.com."
+    ]
+  },
+  {
+    "creationTime": "2018-10-09T16:19:40.004Z",
+    "description": "",
+    "dnsName": "canary.kubernetes.io.",
+    "id": "4193576254815248920",
+    "kind": "dns#managedZone",
+    "name": "canary-kubernetes-io",
+    "nameServers": [
+      "ns-cloud-b1.googledomains.com.",
+      "ns-cloud-b2.googledomains.com.",
+      "ns-cloud-b3.googledomains.com.",
+      "ns-cloud-b4.googledomains.com."
+    ]
+  },
+  {
+    "creationTime": "2018-09-07T15:08:37.689Z",
+    "description": "",
+    "dnsName": "k8s.io.",
+    "dnssecConfig": {
+      "defaultKeySpecs": [
+        {
+          "algorithm": "rsasha256",
+          "keyLength": 2048,
+          "keyType": "keySigning",
+          "kind": "dns#dnsKeySpec"
+        },
+        {
+          "algorithm": "rsasha256",
+          "keyLength": 1024,
+          "keyType": "zoneSigning",
+          "kind": "dns#dnsKeySpec"
+        }
+      ],
+      "kind": "dns#managedZoneDnsSecConfig",
+      "nonExistence": "nsec3",
+      "state": "off"
+    },
+    "id": "8257163024921094127",
+    "kind": "dns#managedZone",
+    "name": "k8s-io",
+    "nameServers": [
+      "ns-cloud-d1.googledomains.com.",
+      "ns-cloud-d2.googledomains.com.",
+      "ns-cloud-d3.googledomains.com.",
+      "ns-cloud-d4.googledomains.com."
+    ]
+  },
+  {
+    "creationTime": "2018-09-06T16:58:36.444Z",
+    "description": "",
+    "dnsName": "kubernetes.io.",
+    "dnssecConfig": {
+      "defaultKeySpecs": [
+        {
+          "algorithm": "rsasha256",
+          "keyLength": 2048,
+          "keyType": "keySigning",
+          "kind": "dns#dnsKeySpec"
+        },
+        {
+          "algorithm": "rsasha256",
+          "keyLength": 1024,
+          "keyType": "zoneSigning",
+          "kind": "dns#dnsKeySpec"
+        }
+      ],
+      "kind": "dns#managedZoneDnsSecConfig",
+      "nonExistence": "nsec3",
+      "state": "off"
+    },
+    "id": "8283179273191389843",
+    "kind": "dns#managedZone",
+    "name": "kubernetes-io",
+    "nameServers": [
+      "ns-cloud-a1.googledomains.com.",
+      "ns-cloud-a2.googledomains.com.",
+      "ns-cloud-a3.googledomains.com.",
+      "ns-cloud-a4.googledomains.com."
+    ]
+  }
+]