From f8cddb7c15409b175b96c58c90dcf9c2fa642888 Mon Sep 17 00:00:00 2001 From: CNCF CI Bot Date: Sat, 24 Jul 2021 10:08:43 +0000 Subject: [PATCH] audit: update as of 2021-07-24 --- .../services/compute/project-info.json | 2 +- ...asets.etl_script_generated_set.access.json | 18 ----- ...ets.etl_script_generated_set_1.access.json | 18 ----- .../bigquery.datasets.etl_staging.access.json | 18 ----- .../bigquery/bigquery.datasets.hh.access.json | 18 ----- .../services/bigquery/bigquery.datasets.json | 66 ------------------- ....k8s_artifacts_dataset_bb_test.access.json | 18 ----- ....k8s_artifacts_gcslogs_appspot.access.json | 18 ----- ...atasets.kubernetes_public_logs.access.json | 18 ----- .../description.json | 10 +++ .../k8s-triage-robot-github-token/iam.json | 12 ++++ .../versions.json | 29 ++++++++ audit/projects/kubernetes-public/iam.json | 6 ++ .../description.json | 7 ++ .../k8s-infra-prow-hmac-token/iam.json | 1 + .../k8s-infra-prow-hmac-token/versions.json | 11 ++++ 16 files changed, 77 insertions(+), 193 deletions(-) delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set_1.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_staging.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json delete mode 100644 audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json create mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/description.json create mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/iam.json create mode 100644 audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/versions.json create mode 100644 audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/description.json create mode 100644 audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/iam.json create mode 100644 audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/versions.json diff --git a/audit/projects/k8s-infra-e2e-scale-5k-project/services/compute/project-info.json b/audit/projects/k8s-infra-e2e-scale-5k-project/services/compute/project-info.json index 147d134d0b57..1d4805bd4a3d 100644 --- a/audit/projects/k8s-infra-e2e-scale-5k-project/services/compute/project-info.json +++ b/audit/projects/k8s-infra-e2e-scale-5k-project/services/compute/project-info.json @@ -3,7 +3,7 @@ "items": [ { "key": "ssh-keys", - "value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\n" + "value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nameukam:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQxCxqIeW9zArVuqZ7WhkURWkcQdj+PVqzTdUb65joIxS0hWnYR6gpKtKOUlLw+YUUuAAvoUjl2MBNHU8R1ctJ7V0ISf6IEQuFZa7aS68bYy92gzH1QDpgHeyHlFbOrzZbLFWjebnKlT2wQL+29JB/5oYwY6RW1a+vas0rI6GiHLUu5rEUuLr38lGni9rhoQcidcDtEG7rG/nfa64ZrhDVeiUt0udmZaViXgrlLLTaJjnZTQ1sI5IuG42EEBpGDhHRkDwhAiLNjjVVkoBWDtPMyT/WbraoqShPzBMKhJz6NtS61cF2yMWIN+xZbJoPDJCcwzvQ9sYlcYrt2LEn75UEN+554lrBeQHjdwumiKjAzR/4m+kUHR9nm+a0li5TJUAmQ5K3pKD6ju2xcyrtzaQQ48FJm0y7fIET5dl4fQgLPj8hD9p/UwETF+9lV/XMH0EEyh0AoFWt/X/oDzH9/eBo7bn03Lugj3eYlvM1griu3OB8Iz5HA3oRw0H6JtdX7U= ameukam@barbatos" } ], "kind": "compute#metadata" diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set.access.json deleted file mode 100644 index 68ab5d0a7b4d..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "asn-etl@k8s-infra-ii-sandbox.iam.gserviceaccount.com" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set_1.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set_1.access.json deleted file mode 100644 index 4a76db5b89d3..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_script_generated_set_1.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "bb@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_staging.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_staging.access.json deleted file mode 100644 index 4a76db5b89d3..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.etl_staging.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "bb@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json deleted file mode 100644 index 1b9fe6a2bc6b..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.hh.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "hh@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json index 5b8f36bd945e..3cfbd7a8c577 100644 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json +++ b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.json @@ -1,22 +1,4 @@ [ - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:etl_script_generated_set", - "datasetReference": { - "datasetId": "etl_script_generated_set", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:etl_script_generated_set_1", - "datasetReference": { - "datasetId": "etl_script_generated_set_1", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, { "kind": "bigquery#dataset", "id": "k8s-infra-ii-sandbox:etl_script_generated_set_prod", @@ -26,54 +8,6 @@ }, "location": "US" }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:etl_staging", - "datasetReference": { - "datasetId": "etl_staging", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:hh", - "datasetReference": { - "datasetId": "hh", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:k8s_artifacts_dataset_bb_test", - "datasetReference": { - "datasetId": "k8s_artifacts_dataset_bb_test", - "projectId": "k8s-infra-ii-sandbox" - }, - "labels": { - "managed-by-cnrm": "true" - }, - "location": "US" - }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:k8s_artifacts_gcslogs_appspot", - "datasetReference": { - "datasetId": "k8s_artifacts_gcslogs_appspot", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, - { - "kind": "bigquery#dataset", - "id": "k8s-infra-ii-sandbox:kubernetes_public_logs", - "datasetReference": { - "datasetId": "kubernetes_public_logs", - "projectId": "k8s-infra-ii-sandbox" - }, - "location": "US" - }, { "kind": "bigquery#dataset", "id": "k8s-infra-ii-sandbox:riaan_data_store", diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json deleted file mode 100644 index 4a76db5b89d3..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_dataset_bb_test.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "bb@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json deleted file mode 100644 index 4a76db5b89d3..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.k8s_artifacts_gcslogs_appspot.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "bb@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json b/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json deleted file mode 100644 index e1dcaceb7dd2..000000000000 --- a/audit/projects/k8s-infra-ii-sandbox/services/bigquery/bigquery.datasets.kubernetes_public_logs.access.json +++ /dev/null @@ -1,18 +0,0 @@ -[ - { - "role": "WRITER", - "specialGroup": "projectWriters" - }, - { - "role": "OWNER", - "specialGroup": "projectOwners" - }, - { - "role": "OWNER", - "userByEmail": "caleb@ii.coop" - }, - { - "role": "READER", - "specialGroup": "projectReaders" - } -] diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/description.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/description.json new file mode 100644 index 000000000000..e666f158660a --- /dev/null +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/description.json @@ -0,0 +1,10 @@ +{ + "createTime": "2021-07-22T15:22:42.229306Z", + "labels": { + "group": "sig-contributor-experience" + }, + "name": "projects/180382678033/secrets/k8s-triage-robot-github-token", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/iam.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/iam.json new file mode 100644 index 000000000000..a175f7e44298 --- /dev/null +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/iam.json @@ -0,0 +1,12 @@ +{ + "bindings": [ + { + "members": [ + "group:github@kubernetes.io", + "group:k8s-infra-prow-oncall@kubernetes.io" + ], + "role": "roles/secretmanager.admin" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/versions.json b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/versions.json new file mode 100644 index 000000000000..a105f740f120 --- /dev/null +++ b/audit/projects/k8s-infra-prow-build-trusted/secrets/k8s-triage-robot-github-token/versions.json @@ -0,0 +1,29 @@ +[ + { + "createTime": "2021-07-23T03:18:11.506633Z", + "etag": "\"15c7c1da789dc9\"", + "name": "projects/180382678033/secrets/k8s-triage-robot-github-token/versions/3", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + }, + { + "createTime": "2021-07-22T22:02:20.507249Z", + "etag": "\"15c7bd70e75071\"", + "name": "projects/180382678033/secrets/k8s-triage-robot-github-token/versions/2", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + }, + { + "createTime": "2021-07-22T17:11:33.029513Z", + "etag": "\"15c7c1db001f02\"", + "name": "projects/180382678033/secrets/k8s-triage-robot-github-token/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "DISABLED" + } +] diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json index cbfd6da61e05..097185ae6b57 100644 --- a/audit/projects/kubernetes-public/iam.json +++ b/audit/projects/kubernetes-public/iam.json @@ -1,5 +1,11 @@ { "bindings": [ + { + "members": [ + "serviceAccount:prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "organizations/758905017065/roles/container.deployer" + }, { "members": [ "group:k8s-infra-cluster-admins@kubernetes.io" diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/description.json b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/description.json new file mode 100644 index 000000000000..75686a2d3de0 --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/description.json @@ -0,0 +1,7 @@ +{ + "createTime": "2021-07-21T22:43:41.525028Z", + "name": "projects/127754664067/secrets/k8s-infra-prow-hmac-token", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/iam.json b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/iam.json new file mode 100644 index 000000000000..0967ef424bce --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/versions.json b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/versions.json new file mode 100644 index 000000000000..533a45b9d6b9 --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-prow-hmac-token/versions.json @@ -0,0 +1,11 @@ +[ + { + "createTime": "2021-07-21T22:43:43.063748Z", + "etag": "\"15c7a9e708bec4\"", + "name": "projects/127754664067/secrets/k8s-infra-prow-hmac-token/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + } +]