Audit Update for kubernetes-public #1650
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: hh The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/audit
| @@ -36,6 +36,7 @@ gcloud \ | |||
| --filter="parent.id=${CNCF_GCP_ORG}" \ | |||
| --format="value(name, projectNumber)" \ | |||
| | sort \ | |||
| | tail -1 | head -1 \ | |||
There was a problem hiding this comment.
This is the temporary limit to a single org. I'll remove this once we have all orgs updated.
There was a problem hiding this comment.
can you move the script update to a separate commit (and/or PR)
| # | jq 'del(.etag)' \ | ||
| # > "${path}/iam.json" | ||
| # done | ||
| # ;; |
There was a problem hiding this comment.
Until #1648 passes, we'll skip this for now.
| "user:[email protected]", | ||
| "user:[email protected]", | ||
| "user:[email protected]", |
There was a problem hiding this comment.
I know these folks! All the right folks for org-admins!
| ], | ||
| "name": "organizations/758905017065/roles/prow.viewer", | ||
| "stage": "ALPHA", | ||
| "title": "Prow Viewer" |
There was a problem hiding this comment.
Looks like a new monitoring roll... I think I saw this in yaml form:
https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/roles/prow.viewer.yaml#L1
Though I'm unsure the tool used to load it into GCP.
| "group:[email protected]" | ||
| ], | ||
| "role": "roles/logging.privateLogViewer" | ||
| }, |
There was a problem hiding this comment.
Does this the PII log field / IP addresses on k8s.gcr.io?
I'd like to understand that role a bit better.
| "oauth2ClientId": "103924646831481972185", | ||
| "projectId": "kubernetes-public", | ||
| "uniqueId": "103924646831481972185" | ||
| } |
There was a problem hiding this comment.
Yeah for automation on this front! I think this happened a while back.
| }, | ||
| { | ||
| "limit": 1024, | ||
| "metric": "STATIC_BYOIP_ADDRESSES" |
There was a problem hiding this comment.
Are we used BYOIP from CNCF? Do the CNCF or Kubernetes community have an AS number to use with services at other cloud providers?
| @@ -15,7 +16,9 @@ logging.googleapis.com Cloud Logging API | |||
| monitoring.googleapis.com Cloud Monitoring API | |||
| oslogin.googleapis.com Cloud OS Login API | |||
| pubsub.googleapis.com Cloud Pub/Sub API | |||
| secretmanager.googleapis.com Secret Manager API | |||
There was a problem hiding this comment.
I think this may be the new part of the audit/logging issues.
I suspect folks who have run the audit-gcp.sh script since adding secrets have had access to secret manager.
| serviceusage.googleapis.com Service Usage API | ||
| source.googleapis.com Legacy Cloud Source Repositories API |
| @@ -3,6 +3,7 @@ bigquery.googleapis.com BigQuery API | |||
| bigquery.googleapis.com BigQuery API | |||
| bigquerystorage.googleapis.com BigQuery Storage API | |||
| clouderrorreporting.googleapis.com Error Reporting API | |||
| cloudfunctions.googleapis.com Cloud Functions API | |||
There was a problem hiding this comment.
We'll need to setup auditing for the cloudfunctions config here, and any new entries. (I think there are still quite a few in the backlog).
cncf-ci
force-pushed
the
audit-kubernetes-public
branch
from
2fa9b08 to
4a3905f
Compare
k8s-ci-robot
added
cncf-cla: yes
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
needs-rebase
|
@hh: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I think with the other content merged, and it being a manual process. I think we'll leave further changes to the bot fully across the repo. /close |
|
@hh: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is not a full audit update. It's missing secrets and is only for Kubernetes-public.
More to come as I work through them in manageable batches.
This is the first PR authored by @cncf-ci bot, so we'll need to figure out how to get the CLA signed... by the CNCF?