From 792d578d82b99a1c747d3e2ae227a1eb487c4a67 Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Wed, 3 Apr 2019 21:13:10 +1300 Subject: [PATCH 1/7] initial kubernetes.io org iam policy dump --- audit/README.md | 55 ++++++++++++++ audit/audit.sh | 43 +++++++++++ audit/buckets/kubernetes_public_billing.txt | 83 +++++++++++++++++++++ audit/cncf-org-policy.json | 55 ++++++++++++++ audit/cncf-org-policy.yaml | 31 ++++++++ audit/cncf-org-roles.json | 1 + audit/cncf-org-roles.yaml | 0 audit/kubernetes-public-policy.json | 82 ++++++++++++++++++++ audit/kubernetes-public-policy.yaml | 43 +++++++++++ audit/kubernetes-public-roles.json | 9 +++ audit/kubernetes-public-roles.yaml | 6 ++ audit/roles/ServiceAccountLister.json | 10 +++ 12 files changed, 418 insertions(+) create mode 100644 audit/README.md create mode 100755 audit/audit.sh create mode 100644 audit/buckets/kubernetes_public_billing.txt create mode 100644 audit/cncf-org-policy.json create mode 100644 audit/cncf-org-policy.yaml create mode 100644 audit/cncf-org-roles.json create mode 100644 audit/cncf-org-roles.yaml create mode 100644 audit/kubernetes-public-policy.json create mode 100644 audit/kubernetes-public-policy.yaml create mode 100644 audit/kubernetes-public-roles.json create mode 100644 audit/kubernetes-public-roles.yaml create mode 100644 audit/roles/ServiceAccountLister.json diff --git a/audit/README.md b/audit/README.md new file mode 100644 index 00000000000..2aaa0da7d83 --- /dev/null +++ b/audit/README.md @@ -0,0 +1,55 @@ +# Auditing Configuration and Usage of Community Assets + +## Status + +WIP. Members of k8s-infra-gcp-auditors should be able to run this script to submit an audit PR. + +## How to become an auditor + +Admin access is granted via +[googlegroups](https://groups.google.com/forum/#!forum/k8s-infra-gcp-auditors). + +You must have a Google account that will let you access the Google Cloud +Console. + +To volunteer for this effort, contact the main +[k8s-infra-team](https://groups.google.com/forum/#!forum/k8s-infra-team). + +## Where is it hosted? + +We mostly host it in Google Cloud: + * GCP org = kubernetes.io / organizationId=758905017065 + * GCP project = kubernetes-public + +## Requesting a Audit PR for review + +The process for sumbitting an audit uses Github PRs. + +### audit.sh + +Run ./audit.sh to generate a current audit configuration dump. +Submit a PR to this repo with any new or updated files. + +In the PR please review the following details: + * The reason for any updates. + * Discuss / link related PRs / issues. + +Once this PR is created, it should be acknowledged by a secondary auditor. + +### Performing an audit + +#### Update Pull Request +First, the requsting auditor opens a PR with any updates applied to the appropriate YAML/JSON file. +Next, the requesting auditor validates that the PR looks correct for their request and responds `/lgtm` + +The a secondary auditor merges the PR once it has been LGTM'd + +## TODO + +Administrative: + * Who should be in OWNERS file + * Audit report + +How to automate: + * How do we audit for iam changes as they happen, rather than polling + * iam change triggers PR to github, notifies / tags the user who made the change diff --git a/audit/audit.sh b/audit/audit.sh new file mode 100755 index 00000000000..b8766949a2f --- /dev/null +++ b/audit/audit.sh @@ -0,0 +1,43 @@ +#!/bin/bash +set -x -e +CNCF_GCP_ORG=758905017065 + +# gcloud organizations describe $CNCF_GCP_ORG 2>&1 +# ERROR: (gcloud.organizations.describe) +# User [hh@ii.coop] does not have permission to access organization [] + +for format in json yaml +do + gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ + > cncf-org-policy.$format + gcloud projects get-iam-policy kubernetes-public --format=$format \ + > kubernetes-public-policy.$format + gcloud iam roles list --organization=758905017065 --format=$format \ + > cncf-org-roles.$format + gcloud iam roles list --project=kubernetes-public --format=$format \ + > kubernetes-public-roles.$format +done + +# Permissions per project role +mkdir -p roles +for ROLE_PATH in `gcloud --project=kubernetes-public iam roles list --format="value(name)"` +do + ROLE=`basename $ROLE_PATH` + gcloud --project=kubernetes-public iam roles describe $ROLE \ + --format=json > roles/$ROLE.json +done + + +# List of objets in buckets +mkdir -p buckets +for BUCKET in `gsutil ls -p kubernetes-public | awk -F/ '{print $3}'` +do + gsutil ls -r gs://$BUCKET/ > buckets/$BUCKET.txt +done + + +# TODO: +# Dump iam for each GCS Bucket +# Dump iam for Big Query +# Iterate over enabled APIs per project +# Identify each resource, then dump iam diff --git a/audit/buckets/kubernetes_public_billing.txt b/audit/buckets/kubernetes_public_billing.txt new file mode 100644 index 00000000000..f02b673f1d8 --- /dev/null +++ b/audit/buckets/kubernetes_public_billing.txt @@ -0,0 +1,83 @@ +gs://kubernetes_public_billing/billing--2019-01-10.csv +gs://kubernetes_public_billing/billing--2019-01-11.csv +gs://kubernetes_public_billing/billing--2019-01-12.csv +gs://kubernetes_public_billing/billing--2019-01-13.csv +gs://kubernetes_public_billing/billing--2019-01-14.csv +gs://kubernetes_public_billing/billing--2019-01-15.csv +gs://kubernetes_public_billing/billing--2019-01-16.csv +gs://kubernetes_public_billing/billing--2019-01-17.csv +gs://kubernetes_public_billing/billing--2019-01-18.csv +gs://kubernetes_public_billing/billing--2019-01-19.csv +gs://kubernetes_public_billing/billing--2019-01-20.csv +gs://kubernetes_public_billing/billing--2019-01-21.csv +gs://kubernetes_public_billing/billing--2019-01-22.csv +gs://kubernetes_public_billing/billing--2019-01-23.csv +gs://kubernetes_public_billing/billing--2019-01-24.csv +gs://kubernetes_public_billing/billing--2019-01-25.csv +gs://kubernetes_public_billing/billing--2019-01-26.csv +gs://kubernetes_public_billing/billing--2019-01-27.csv +gs://kubernetes_public_billing/billing--2019-01-28.csv +gs://kubernetes_public_billing/billing--2019-01-29.csv +gs://kubernetes_public_billing/billing--2019-01-30.csv +gs://kubernetes_public_billing/billing--2019-01-31.csv +gs://kubernetes_public_billing/billing--2019-02-01.csv +gs://kubernetes_public_billing/billing--2019-02-02.csv +gs://kubernetes_public_billing/billing--2019-02-03.csv +gs://kubernetes_public_billing/billing--2019-02-04.csv +gs://kubernetes_public_billing/billing--2019-02-05.csv +gs://kubernetes_public_billing/billing--2019-02-06.csv +gs://kubernetes_public_billing/billing--2019-02-07.csv +gs://kubernetes_public_billing/billing--2019-02-08.csv +gs://kubernetes_public_billing/billing--2019-02-09.csv +gs://kubernetes_public_billing/billing--2019-02-10.csv +gs://kubernetes_public_billing/billing--2019-02-11.csv +gs://kubernetes_public_billing/billing--2019-02-12.csv +gs://kubernetes_public_billing/billing--2019-02-13.csv +gs://kubernetes_public_billing/billing--2019-02-14.csv +gs://kubernetes_public_billing/billing--2019-02-15.csv +gs://kubernetes_public_billing/billing--2019-02-16.csv +gs://kubernetes_public_billing/billing--2019-02-17.csv +gs://kubernetes_public_billing/billing--2019-02-18.csv +gs://kubernetes_public_billing/billing--2019-02-19.csv +gs://kubernetes_public_billing/billing--2019-02-20.csv +gs://kubernetes_public_billing/billing--2019-02-21.csv +gs://kubernetes_public_billing/billing--2019-02-22.csv +gs://kubernetes_public_billing/billing--2019-02-23.csv +gs://kubernetes_public_billing/billing--2019-02-24.csv +gs://kubernetes_public_billing/billing--2019-02-25.csv +gs://kubernetes_public_billing/billing--2019-02-26.csv +gs://kubernetes_public_billing/billing--2019-02-27.csv +gs://kubernetes_public_billing/billing--2019-02-28.csv +gs://kubernetes_public_billing/billing--2019-03-01.csv +gs://kubernetes_public_billing/billing--2019-03-02.csv +gs://kubernetes_public_billing/billing--2019-03-03.csv +gs://kubernetes_public_billing/billing--2019-03-04.csv +gs://kubernetes_public_billing/billing--2019-03-05.csv +gs://kubernetes_public_billing/billing--2019-03-06.csv +gs://kubernetes_public_billing/billing--2019-03-07.csv +gs://kubernetes_public_billing/billing--2019-03-08.csv +gs://kubernetes_public_billing/billing--2019-03-09.csv +gs://kubernetes_public_billing/billing--2019-03-10.csv +gs://kubernetes_public_billing/billing--2019-03-11.csv +gs://kubernetes_public_billing/billing--2019-03-12.csv +gs://kubernetes_public_billing/billing--2019-03-13.csv +gs://kubernetes_public_billing/billing--2019-03-14.csv +gs://kubernetes_public_billing/billing--2019-03-15.csv +gs://kubernetes_public_billing/billing--2019-03-16.csv +gs://kubernetes_public_billing/billing--2019-03-17.csv +gs://kubernetes_public_billing/billing--2019-03-18.csv +gs://kubernetes_public_billing/billing--2019-03-19.csv +gs://kubernetes_public_billing/billing--2019-03-20.csv +gs://kubernetes_public_billing/billing--2019-03-21.csv +gs://kubernetes_public_billing/billing--2019-03-22.csv +gs://kubernetes_public_billing/billing--2019-03-23.csv +gs://kubernetes_public_billing/billing--2019-03-24.csv +gs://kubernetes_public_billing/billing--2019-03-25.csv +gs://kubernetes_public_billing/billing--2019-03-26.csv +gs://kubernetes_public_billing/billing--2019-03-27.csv +gs://kubernetes_public_billing/billing--2019-03-28.csv +gs://kubernetes_public_billing/billing--2019-03-29.csv +gs://kubernetes_public_billing/billing--2019-03-30.csv +gs://kubernetes_public_billing/billing--2019-03-31.csv +gs://kubernetes_public_billing/billing--2019-04-01.csv +gs://kubernetes_public_billing/billing--2019-04-02.csv diff --git a/audit/cncf-org-policy.json b/audit/cncf-org-policy.json new file mode 100644 index 00000000000..9f815aa9d2a --- /dev/null +++ b/audit/cncf-org-policy.json @@ -0,0 +1,55 @@ +{ + "bindings": [ + { + "members": [ + "user:ihor@cncf.io", + "user:thockin@google.com", + "user:twaggoner@linuxfoundation.org" + ], + "role": "roles/billing.admin" + }, + { + "members": [ + "domain:kubernetes.io", + "user:ihor@cncf.io", + "user:thockin@google.com" + ], + "role": "roles/billing.creator" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/iam.organizationRoleAdmin" + }, + { + "members": [ + "group:k8s-infra-gcp-auditors@googlegroups.com" + ], + "role": "roles/iam.securityReviewer" + }, + { + "members": [ + "user:domain-admin-lf@kubernetes.io", + "user:ihor@cncf.io", + "user:thockin@google.com", + "user:twaggoner@linuxfoundation.org" + ], + "role": "roles/resourcemanager.organizationAdmin" + }, + { + "members": [ + "domain:kubernetes.io", + "user:thockin@google.com" + ], + "role": "roles/resourcemanager.projectCreator" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/resourcemanager.projectDeleter" + } + ], + "etag": "BwWDmKQ6zmg=" +} diff --git a/audit/cncf-org-policy.yaml b/audit/cncf-org-policy.yaml new file mode 100644 index 00000000000..ea694205f6a --- /dev/null +++ b/audit/cncf-org-policy.yaml @@ -0,0 +1,31 @@ +bindings: +- members: + - user:ihor@cncf.io + - user:thockin@google.com + - user:twaggoner@linuxfoundation.org + role: roles/billing.admin +- members: + - domain:kubernetes.io + - user:ihor@cncf.io + - user:thockin@google.com + role: roles/billing.creator +- members: + - user:thockin@google.com + role: roles/iam.organizationRoleAdmin +- members: + - group:k8s-infra-gcp-auditors@googlegroups.com + role: roles/iam.securityReviewer +- members: + - user:domain-admin-lf@kubernetes.io + - user:ihor@cncf.io + - user:thockin@google.com + - user:twaggoner@linuxfoundation.org + role: roles/resourcemanager.organizationAdmin +- members: + - domain:kubernetes.io + - user:thockin@google.com + role: roles/resourcemanager.projectCreator +- members: + - user:thockin@google.com + role: roles/resourcemanager.projectDeleter +etag: BwWDmKQ6zmg= diff --git a/audit/cncf-org-roles.json b/audit/cncf-org-roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/cncf-org-roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/cncf-org-roles.yaml b/audit/cncf-org-roles.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/kubernetes-public-policy.json b/audit/kubernetes-public-policy.json new file mode 100644 index 00000000000..ea8872d5ec9 --- /dev/null +++ b/audit/kubernetes-public-policy.json @@ -0,0 +1,82 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-cluster-admins@googlegroups.com" + ], + "role": "projects/kubernetes-public/roles/ServiceAccountLister" + }, + { + "members": [ + "group:k8s-infra-bigquery-admins@googlegroups.com" + ], + "role": "roles/bigquery.admin" + }, + { + "members": [ + "serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "group:k8s-infra-cluster-admins@googlegroups.com" + ], + "role": "roles/compute.viewer" + }, + { + "members": [ + "group:k8s-infra-cluster-admins@googlegroups.com" + ], + "role": "roles/container.admin" + }, + { + "members": [ + "serviceAccount:service-127754664067@container-engine-robot.iam.gserviceaccount.com" + ], + "role": "roles/container.serviceAgent" + }, + { + "members": [ + "group:k8s-infra-dns-admins@googlegroups.com" + ], + "role": "roles/dns.admin" + }, + { + "members": [ + "serviceAccount:127754664067-compute@developer.gserviceaccount.com", + "serviceAccount:127754664067@cloudservices.gserviceaccount.com", + "serviceAccount:service-127754664067@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + ], + "role": "roles/logging.logWriter" + }, + { + "members": [ + "serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + ], + "role": "roles/monitoring.metricWriter" + }, + { + "members": [ + "serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + ], + "role": "roles/monitoring.viewer" + }, + { + "members": [ + "user:domain-admin-lf@kubernetes.io", + "user:ihor@cncf.io", + "user:thockin@google.com" + ], + "role": "roles/owner" + } + ], + "etag": "BwWBY6sq2cc=", + "version": 1 +} diff --git a/audit/kubernetes-public-policy.yaml b/audit/kubernetes-public-policy.yaml new file mode 100644 index 00000000000..89b5a9a14b5 --- /dev/null +++ b/audit/kubernetes-public-policy.yaml @@ -0,0 +1,43 @@ +bindings: +- members: + - group:k8s-infra-cluster-admins@googlegroups.com + role: projects/kubernetes-public/roles/ServiceAccountLister +- members: + - group:k8s-infra-bigquery-admins@googlegroups.com + role: roles/bigquery.admin +- members: + - serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com + role: roles/compute.serviceAgent +- members: + - group:k8s-infra-cluster-admins@googlegroups.com + role: roles/compute.viewer +- members: + - group:k8s-infra-cluster-admins@googlegroups.com + role: roles/container.admin +- members: + - serviceAccount:service-127754664067@container-engine-robot.iam.gserviceaccount.com + role: roles/container.serviceAgent +- members: + - group:k8s-infra-dns-admins@googlegroups.com + role: roles/dns.admin +- members: + - serviceAccount:127754664067-compute@developer.gserviceaccount.com + - serviceAccount:127754664067@cloudservices.gserviceaccount.com + - serviceAccount:service-127754664067@containerregistry.iam.gserviceaccount.com + role: roles/editor +- members: + - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com + role: roles/logging.logWriter +- members: + - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com + role: roles/monitoring.metricWriter +- members: + - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com + role: roles/monitoring.viewer +- members: + - user:domain-admin-lf@kubernetes.io + - user:ihor@cncf.io + - user:thockin@google.com + role: roles/owner +etag: BwWBY6sq2cc= +version: 1 diff --git a/audit/kubernetes-public-roles.json b/audit/kubernetes-public-roles.json new file mode 100644 index 00000000000..0ac7d704b3d --- /dev/null +++ b/audit/kubernetes-public-roles.json @@ -0,0 +1,9 @@ +[ + { + "description": "Can list ServiceAccounts.", + "etag": "BwV_JE8PWv4=", + "name": "projects/kubernetes-public/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" + } +] diff --git a/audit/kubernetes-public-roles.yaml b/audit/kubernetes-public-roles.yaml new file mode 100644 index 00000000000..78fd69929d7 --- /dev/null +++ b/audit/kubernetes-public-roles.yaml @@ -0,0 +1,6 @@ +--- +description: Can list ServiceAccounts. +etag: BwV_JE8PWv4= +name: projects/kubernetes-public/roles/ServiceAccountLister +stage: GA +title: Service Account Lister diff --git a/audit/roles/ServiceAccountLister.json b/audit/roles/ServiceAccountLister.json new file mode 100644 index 00000000000..291db59f931 --- /dev/null +++ b/audit/roles/ServiceAccountLister.json @@ -0,0 +1,10 @@ +{ + "description": "Can list ServiceAccounts.", + "etag": "BwV_JE8PWv4=", + "includedPermissions": [ + "iam.serviceAccounts.list" + ], + "name": "projects/kubernetes-public/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" +} From 82d819badb6b50cb17cefa979b8cff26cd8c0217 Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Thu, 2 May 2019 03:27:32 +1200 Subject: [PATCH 2/7] updates for 1st of May --- audit/buckets/kubernetes_public_billing.txt | 28 +++++++++++++++++++++ audit/kubernetes-public-policy.json | 8 +++++- audit/kubernetes-public-policy.yaml | 5 +++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/audit/buckets/kubernetes_public_billing.txt b/audit/buckets/kubernetes_public_billing.txt index f02b673f1d8..60e49a16786 100644 --- a/audit/buckets/kubernetes_public_billing.txt +++ b/audit/buckets/kubernetes_public_billing.txt @@ -81,3 +81,31 @@ gs://kubernetes_public_billing/billing--2019-03-30.csv gs://kubernetes_public_billing/billing--2019-03-31.csv gs://kubernetes_public_billing/billing--2019-04-01.csv gs://kubernetes_public_billing/billing--2019-04-02.csv +gs://kubernetes_public_billing/billing--2019-04-03.csv +gs://kubernetes_public_billing/billing--2019-04-04.csv +gs://kubernetes_public_billing/billing--2019-04-05.csv +gs://kubernetes_public_billing/billing--2019-04-06.csv +gs://kubernetes_public_billing/billing--2019-04-07.csv +gs://kubernetes_public_billing/billing--2019-04-08.csv +gs://kubernetes_public_billing/billing--2019-04-09.csv +gs://kubernetes_public_billing/billing--2019-04-10.csv +gs://kubernetes_public_billing/billing--2019-04-11.csv +gs://kubernetes_public_billing/billing--2019-04-12.csv +gs://kubernetes_public_billing/billing--2019-04-13.csv +gs://kubernetes_public_billing/billing--2019-04-14.csv +gs://kubernetes_public_billing/billing--2019-04-15.csv +gs://kubernetes_public_billing/billing--2019-04-16.csv +gs://kubernetes_public_billing/billing--2019-04-17.csv +gs://kubernetes_public_billing/billing--2019-04-18.csv +gs://kubernetes_public_billing/billing--2019-04-19.csv +gs://kubernetes_public_billing/billing--2019-04-20.csv +gs://kubernetes_public_billing/billing--2019-04-21.csv +gs://kubernetes_public_billing/billing--2019-04-22.csv +gs://kubernetes_public_billing/billing--2019-04-23.csv +gs://kubernetes_public_billing/billing--2019-04-24.csv +gs://kubernetes_public_billing/billing--2019-04-25.csv +gs://kubernetes_public_billing/billing--2019-04-26.csv +gs://kubernetes_public_billing/billing--2019-04-27.csv +gs://kubernetes_public_billing/billing--2019-04-28.csv +gs://kubernetes_public_billing/billing--2019-04-29.csv +gs://kubernetes_public_billing/billing--2019-04-30.csv diff --git a/audit/kubernetes-public-policy.json b/audit/kubernetes-public-policy.json index ea8872d5ec9..18e349790bd 100644 --- a/audit/kubernetes-public-policy.json +++ b/audit/kubernetes-public-policy.json @@ -12,6 +12,12 @@ ], "role": "roles/bigquery.admin" }, + { + "members": [ + "group:k8s-infra-gcp-accounting@googlegroups.com" + ], + "role": "roles/bigquery.jobUser" + }, { "members": [ "serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com" @@ -77,6 +83,6 @@ "role": "roles/owner" } ], - "etag": "BwWBY6sq2cc=", + "etag": "BwWGvOrrBsU=", "version": 1 } diff --git a/audit/kubernetes-public-policy.yaml b/audit/kubernetes-public-policy.yaml index 89b5a9a14b5..3a5e8247185 100644 --- a/audit/kubernetes-public-policy.yaml +++ b/audit/kubernetes-public-policy.yaml @@ -5,6 +5,9 @@ bindings: - members: - group:k8s-infra-bigquery-admins@googlegroups.com role: roles/bigquery.admin +- members: + - group:k8s-infra-gcp-accounting@googlegroups.com + role: roles/bigquery.jobUser - members: - serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com role: roles/compute.serviceAgent @@ -39,5 +42,5 @@ bindings: - user:ihor@cncf.io - user:thockin@google.com role: roles/owner -etag: BwWBY6sq2cc= +etag: BwWGvOrrBsU= version: 1 From ca1638203551b97a6dd31bf7304e264f6921e51d Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Thu, 16 May 2019 03:42:46 +1200 Subject: [PATCH 3/7] update for 15th of May --- audit/README.md | 11 ++--- audit/audit-gcp.sh | 44 +++++++++++++++++++ audit/audit.sh | 43 ------------------ audit/buckets/kubernetes_public_billing.txt | 14 ++++++ ...f-org-policy.json => cncf-org.policy.json} | 5 ++- ...f-org-policy.yaml => cncf-org.policy.yaml} | 5 ++- ...ncf-org-roles.json => cncf-org.roles.json} | 0 ...ncf-org-roles.yaml => cncf-org.roles.yaml} | 0 .../k8s-infra-dev-cluster-turnup.policy.json | 35 +++++++++++++++ .../k8s-infra-dev-cluster-turnup.policy.yaml | 20 +++++++++ audit/k8s-infra-dev-cluster-turnup.roles.json | 1 + audit/k8s-infra-dev-cluster-turnup.roles.yaml | 0 ...icy.json => kubernetes-public.policy.json} | 5 +-- ...icy.yaml => kubernetes-public.policy.yaml} | 3 +- ...oles.json => kubernetes-public.roles.json} | 7 +++ ...oles.yaml => kubernetes-public.roles.yaml} | 6 +++ 16 files changed, 140 insertions(+), 59 deletions(-) create mode 100755 audit/audit-gcp.sh delete mode 100755 audit/audit.sh rename audit/{cncf-org-policy.json => cncf-org.policy.json} (92%) rename audit/{cncf-org-policy.yaml => cncf-org.policy.yaml} (90%) rename audit/{cncf-org-roles.json => cncf-org.roles.json} (100%) rename audit/{cncf-org-roles.yaml => cncf-org.roles.yaml} (100%) create mode 100644 audit/k8s-infra-dev-cluster-turnup.policy.json create mode 100644 audit/k8s-infra-dev-cluster-turnup.policy.yaml create mode 100644 audit/k8s-infra-dev-cluster-turnup.roles.json create mode 100644 audit/k8s-infra-dev-cluster-turnup.roles.yaml rename audit/{kubernetes-public-policy.json => kubernetes-public.policy.json} (94%) rename audit/{kubernetes-public-policy.yaml => kubernetes-public.policy.yaml} (93%) rename audit/{kubernetes-public-roles.json => kubernetes-public.roles.json} (54%) rename audit/{kubernetes-public-roles.yaml => kubernetes-public.roles.yaml} (55%) diff --git a/audit/README.md b/audit/README.md index 2aaa0da7d83..ac778529428 100644 --- a/audit/README.md +++ b/audit/README.md @@ -15,12 +15,6 @@ Console. To volunteer for this effort, contact the main [k8s-infra-team](https://groups.google.com/forum/#!forum/k8s-infra-team). -## Where is it hosted? - -We mostly host it in Google Cloud: - * GCP org = kubernetes.io / organizationId=758905017065 - * GCP project = kubernetes-public - ## Requesting a Audit PR for review The process for sumbitting an audit uses Github PRs. @@ -38,8 +32,11 @@ Once this PR is created, it should be acknowledged by a secondary auditor. ### Performing an audit +Note that this is an AUDIT, not a request for change. +The audits can be used to generate discussion for reviewing the changes that have already occured. + #### Update Pull Request -First, the requsting auditor opens a PR with any updates applied to the appropriate YAML/JSON file. +First, the requesting auditor opens a PR with any updates applied to the appropriate YAML/JSON file. Next, the requesting auditor validates that the PR looks correct for their request and responds `/lgtm` The a secondary auditor merges the PR once it has been LGTM'd diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh new file mode 100755 index 00000000000..dd8480b1d8f --- /dev/null +++ b/audit/audit-gcp.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -x -e +CNCF_GCP_ORG=758905017065 + +# gcloud organizations describe $CNCF_GCP_ORG 2>&1 +# ERROR: (gcloud.organizations.describe) +# User [hh@ii.coop] does not have permission to access organization [] + +for format in json yaml +do + gcloud iam roles list --organization=$CNCF_GCP_ORG --format=$format \ + > cncf-org.roles.$format + gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ + > cncf-org.policy.$format + gcloud projects list \ + --filter "parent.id=$CNCF_GCP_ORG" \ + --format "value(name, projectNumber)" \ + | while read NAME NUM; do \ + gcloud projects get-iam-policy $NAME --format=$format > $NAME.policy.$format + gcloud iam roles list --project=$NAME --format=$format > $NAME.roles.$format + mkdir -p roles + for ROLE_PATH in `gcloud --project=$NAME iam roles list --format="value(name)"` + do + ROLE=`basename $ROLE_PATH` + gcloud --project=$NAME iam roles describe $ROLE \ + --format=json > roles/$ROLE.json + done + + done +done + +# List of objets in buckets +mkdir -p buckets +for BUCKET in `gsutil ls -p kubernetes-public | awk -F/ '{print $3}'` +do + gsutil ls -r gs://$BUCKET/ > buckets/$BUCKET.txt +done + + +# TODO: +# Dump iam for each GCS Bucket +# Dump iam for Big Query +# Iterate over enabled APIs per project +# Identify each resource, then dump iam diff --git a/audit/audit.sh b/audit/audit.sh deleted file mode 100755 index b8766949a2f..00000000000 --- a/audit/audit.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -set -x -e -CNCF_GCP_ORG=758905017065 - -# gcloud organizations describe $CNCF_GCP_ORG 2>&1 -# ERROR: (gcloud.organizations.describe) -# User [hh@ii.coop] does not have permission to access organization [] - -for format in json yaml -do - gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ - > cncf-org-policy.$format - gcloud projects get-iam-policy kubernetes-public --format=$format \ - > kubernetes-public-policy.$format - gcloud iam roles list --organization=758905017065 --format=$format \ - > cncf-org-roles.$format - gcloud iam roles list --project=kubernetes-public --format=$format \ - > kubernetes-public-roles.$format -done - -# Permissions per project role -mkdir -p roles -for ROLE_PATH in `gcloud --project=kubernetes-public iam roles list --format="value(name)"` -do - ROLE=`basename $ROLE_PATH` - gcloud --project=kubernetes-public iam roles describe $ROLE \ - --format=json > roles/$ROLE.json -done - - -# List of objets in buckets -mkdir -p buckets -for BUCKET in `gsutil ls -p kubernetes-public | awk -F/ '{print $3}'` -do - gsutil ls -r gs://$BUCKET/ > buckets/$BUCKET.txt -done - - -# TODO: -# Dump iam for each GCS Bucket -# Dump iam for Big Query -# Iterate over enabled APIs per project -# Identify each resource, then dump iam diff --git a/audit/buckets/kubernetes_public_billing.txt b/audit/buckets/kubernetes_public_billing.txt index 60e49a16786..ff642a44063 100644 --- a/audit/buckets/kubernetes_public_billing.txt +++ b/audit/buckets/kubernetes_public_billing.txt @@ -109,3 +109,17 @@ gs://kubernetes_public_billing/billing--2019-04-27.csv gs://kubernetes_public_billing/billing--2019-04-28.csv gs://kubernetes_public_billing/billing--2019-04-29.csv gs://kubernetes_public_billing/billing--2019-04-30.csv +gs://kubernetes_public_billing/billing--2019-05-01.csv +gs://kubernetes_public_billing/billing--2019-05-02.csv +gs://kubernetes_public_billing/billing--2019-05-03.csv +gs://kubernetes_public_billing/billing--2019-05-04.csv +gs://kubernetes_public_billing/billing--2019-05-05.csv +gs://kubernetes_public_billing/billing--2019-05-06.csv +gs://kubernetes_public_billing/billing--2019-05-07.csv +gs://kubernetes_public_billing/billing--2019-05-08.csv +gs://kubernetes_public_billing/billing--2019-05-09.csv +gs://kubernetes_public_billing/billing--2019-05-10.csv +gs://kubernetes_public_billing/billing--2019-05-11.csv +gs://kubernetes_public_billing/billing--2019-05-12.csv +gs://kubernetes_public_billing/billing--2019-05-13.csv +gs://kubernetes_public_billing/billing--2019-05-14.csv diff --git a/audit/cncf-org-policy.json b/audit/cncf-org.policy.json similarity index 92% rename from audit/cncf-org-policy.json rename to audit/cncf-org.policy.json index 9f815aa9d2a..57863406a07 100644 --- a/audit/cncf-org-policy.json +++ b/audit/cncf-org.policy.json @@ -24,7 +24,7 @@ }, { "members": [ - "group:k8s-infra-gcp-auditors@googlegroups.com" + "group:k8s-infra-gcp-auditors@kubernetes.io" ], "role": "roles/iam.securityReviewer" }, @@ -51,5 +51,6 @@ "role": "roles/resourcemanager.projectDeleter" } ], - "etag": "BwWDmKQ6zmg=" + "etag": "BwWIgEd9TPI=", + "version": 1 } diff --git a/audit/cncf-org-policy.yaml b/audit/cncf-org.policy.yaml similarity index 90% rename from audit/cncf-org-policy.yaml rename to audit/cncf-org.policy.yaml index ea694205f6a..dd619f22eeb 100644 --- a/audit/cncf-org-policy.yaml +++ b/audit/cncf-org.policy.yaml @@ -13,7 +13,7 @@ bindings: - user:thockin@google.com role: roles/iam.organizationRoleAdmin - members: - - group:k8s-infra-gcp-auditors@googlegroups.com + - group:k8s-infra-gcp-auditors@kubernetes.io role: roles/iam.securityReviewer - members: - user:domain-admin-lf@kubernetes.io @@ -28,4 +28,5 @@ bindings: - members: - user:thockin@google.com role: roles/resourcemanager.projectDeleter -etag: BwWDmKQ6zmg= +etag: BwWIgEd9TPI= +version: 1 diff --git a/audit/cncf-org-roles.json b/audit/cncf-org.roles.json similarity index 100% rename from audit/cncf-org-roles.json rename to audit/cncf-org.roles.json diff --git a/audit/cncf-org-roles.yaml b/audit/cncf-org.roles.yaml similarity index 100% rename from audit/cncf-org-roles.yaml rename to audit/cncf-org.roles.yaml diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.json b/audit/k8s-infra-dev-cluster-turnup.policy.json new file mode 100644 index 00000000000..738827a8205 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.policy.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com" + ], + "role": "roles/container.serviceAgent" + }, + { + "members": [ + "serviceAccount:396460694993-compute@developer.gserviceaccount.com", + "serviceAccount:396460694993@cloudservices.gserviceaccount.com", + "serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com", + "user:ameukam@gmail.com", + "user:hh@ii.coop", + "user:justinsb@google.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + } + ], + "etag": "BwWH5GlZ_14=", + "version": 1 +} diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.yaml b/audit/k8s-infra-dev-cluster-turnup.policy.yaml new file mode 100644 index 00000000000..dc34764cb68 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.policy.yaml @@ -0,0 +1,20 @@ +bindings: +- members: + - serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com + role: roles/compute.serviceAgent +- members: + - serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com + role: roles/container.serviceAgent +- members: + - serviceAccount:396460694993-compute@developer.gserviceaccount.com + - serviceAccount:396460694993@cloudservices.gserviceaccount.com + - serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com + - user:ameukam@gmail.com + - user:hh@ii.coop + - user:justinsb@google.com + role: roles/editor +- members: + - user:thockin@google.com + role: roles/owner +etag: BwWH5GlZ_14= +version: 1 diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.json b/audit/k8s-infra-dev-cluster-turnup.roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.yaml b/audit/k8s-infra-dev-cluster-turnup.roles.yaml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/kubernetes-public-policy.json b/audit/kubernetes-public.policy.json similarity index 94% rename from audit/kubernetes-public-policy.json rename to audit/kubernetes-public.policy.json index 18e349790bd..2e3b78b51b5 100644 --- a/audit/kubernetes-public-policy.json +++ b/audit/kubernetes-public.policy.json @@ -51,8 +51,7 @@ { "members": [ "serviceAccount:127754664067-compute@developer.gserviceaccount.com", - "serviceAccount:127754664067@cloudservices.gserviceaccount.com", - "serviceAccount:service-127754664067@containerregistry.iam.gserviceaccount.com" + "serviceAccount:127754664067@cloudservices.gserviceaccount.com" ], "role": "roles/editor" }, @@ -83,6 +82,6 @@ "role": "roles/owner" } ], - "etag": "BwWGvOrrBsU=", + "etag": "BwWIeZ1EG7o=", "version": 1 } diff --git a/audit/kubernetes-public-policy.yaml b/audit/kubernetes-public.policy.yaml similarity index 93% rename from audit/kubernetes-public-policy.yaml rename to audit/kubernetes-public.policy.yaml index 3a5e8247185..c841c7a5661 100644 --- a/audit/kubernetes-public-policy.yaml +++ b/audit/kubernetes-public.policy.yaml @@ -26,7 +26,6 @@ bindings: - members: - serviceAccount:127754664067-compute@developer.gserviceaccount.com - serviceAccount:127754664067@cloudservices.gserviceaccount.com - - serviceAccount:service-127754664067@containerregistry.iam.gserviceaccount.com role: roles/editor - members: - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com @@ -42,5 +41,5 @@ bindings: - user:ihor@cncf.io - user:thockin@google.com role: roles/owner -etag: BwWGvOrrBsU= +etag: BwWIeZ1EG7o= version: 1 diff --git a/audit/kubernetes-public-roles.json b/audit/kubernetes-public.roles.json similarity index 54% rename from audit/kubernetes-public-roles.json rename to audit/kubernetes-public.roles.json index 0ac7d704b3d..535f2a65076 100644 --- a/audit/kubernetes-public-roles.json +++ b/audit/kubernetes-public.roles.json @@ -5,5 +5,12 @@ "name": "projects/kubernetes-public/roles/ServiceAccountLister", "stage": "GA", "title": "Service Account Lister" + }, + { + "description": "delete me 1", + "etag": "BwWIfSRcpWU=", + "name": "projects/kubernetes-public/roles/ThockinTest1", + "stage": "GA", + "title": "delete me 1" } ] diff --git a/audit/kubernetes-public-roles.yaml b/audit/kubernetes-public.roles.yaml similarity index 55% rename from audit/kubernetes-public-roles.yaml rename to audit/kubernetes-public.roles.yaml index 78fd69929d7..11bc4bb8c95 100644 --- a/audit/kubernetes-public-roles.yaml +++ b/audit/kubernetes-public.roles.yaml @@ -4,3 +4,9 @@ etag: BwV_JE8PWv4= name: projects/kubernetes-public/roles/ServiceAccountLister stage: GA title: Service Account Lister +--- +description: delete me 1 +etag: BwWIfSRcpWU= +name: projects/kubernetes-public/roles/ThockinTest1 +stage: GA +title: delete me 1 From 3f5ee1be68f66b456de2753964b2ce3a66bb7dfb Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Sun, 16 Jun 2019 04:51:29 +1200 Subject: [PATCH 4/7] June 16th 2019 Audit --- audit/README.md | 1 + audit/buckets/kubernetes_public_billing.txt | 31 +++++++++++++++++++ audit/cncf-org.policy.json | 8 ++++- audit/cncf-org.policy.yaml | 5 ++- audit/cncf-org.roles.json | 10 +++++- audit/cncf-org.roles.yaml | 6 ++++ .../k8s-infra-dev-cluster-turnup.policy.json | 14 +++++++-- .../k8s-infra-dev-cluster-turnup.policy.yaml | 11 +++++-- audit/k8s-infra-dev-cluster-turnup.roles.json | 10 +++++- audit/k8s-infra-dev-cluster-turnup.roles.yaml | 6 ++++ audit/kubernetes-public.policy.json | 14 ++++++++- audit/kubernetes-public.policy.yaml | 8 ++++- audit/kubernetes-public.roles.json | 7 ----- audit/kubernetes-public.roles.yaml | 6 ---- 14 files changed, 112 insertions(+), 25 deletions(-) diff --git a/audit/README.md b/audit/README.md index ac778529428..b75805c68e3 100644 --- a/audit/README.md +++ b/audit/README.md @@ -3,6 +3,7 @@ ## Status WIP. Members of k8s-infra-gcp-auditors should be able to run this script to submit an audit PR. +Note this is an Audit of current configuration, not a requset for change. ## How to become an auditor diff --git a/audit/buckets/kubernetes_public_billing.txt b/audit/buckets/kubernetes_public_billing.txt index ff642a44063..a9528660674 100644 --- a/audit/buckets/kubernetes_public_billing.txt +++ b/audit/buckets/kubernetes_public_billing.txt @@ -123,3 +123,34 @@ gs://kubernetes_public_billing/billing--2019-05-11.csv gs://kubernetes_public_billing/billing--2019-05-12.csv gs://kubernetes_public_billing/billing--2019-05-13.csv gs://kubernetes_public_billing/billing--2019-05-14.csv +gs://kubernetes_public_billing/billing--2019-05-15.csv +gs://kubernetes_public_billing/billing--2019-05-16.csv +gs://kubernetes_public_billing/billing--2019-05-17.csv +gs://kubernetes_public_billing/billing--2019-05-18.csv +gs://kubernetes_public_billing/billing--2019-05-19.csv +gs://kubernetes_public_billing/billing--2019-05-20.csv +gs://kubernetes_public_billing/billing--2019-05-21.csv +gs://kubernetes_public_billing/billing--2019-05-22.csv +gs://kubernetes_public_billing/billing--2019-05-23.csv +gs://kubernetes_public_billing/billing--2019-05-24.csv +gs://kubernetes_public_billing/billing--2019-05-25.csv +gs://kubernetes_public_billing/billing--2019-05-26.csv +gs://kubernetes_public_billing/billing--2019-05-27.csv +gs://kubernetes_public_billing/billing--2019-05-28.csv +gs://kubernetes_public_billing/billing--2019-05-29.csv +gs://kubernetes_public_billing/billing--2019-05-30.csv +gs://kubernetes_public_billing/billing--2019-05-31.csv +gs://kubernetes_public_billing/billing--2019-06-01.csv +gs://kubernetes_public_billing/billing--2019-06-02.csv +gs://kubernetes_public_billing/billing--2019-06-03.csv +gs://kubernetes_public_billing/billing--2019-06-04.csv +gs://kubernetes_public_billing/billing--2019-06-05.csv +gs://kubernetes_public_billing/billing--2019-06-06.csv +gs://kubernetes_public_billing/billing--2019-06-07.csv +gs://kubernetes_public_billing/billing--2019-06-08.csv +gs://kubernetes_public_billing/billing--2019-06-09.csv +gs://kubernetes_public_billing/billing--2019-06-10.csv +gs://kubernetes_public_billing/billing--2019-06-11.csv +gs://kubernetes_public_billing/billing--2019-06-12.csv +gs://kubernetes_public_billing/billing--2019-06-13.csv +gs://kubernetes_public_billing/billing--2019-06-14.csv diff --git a/audit/cncf-org.policy.json b/audit/cncf-org.policy.json index 57863406a07..aa830f889c5 100644 --- a/audit/cncf-org.policy.json +++ b/audit/cncf-org.policy.json @@ -1,5 +1,11 @@ { "bindings": [ + { + "members": [ + "group:k8s-infra-gcp-accounting@kubernetes.io" + ], + "role": "organizations/758905017065/roles/CustomRole" + }, { "members": [ "user:ihor@cncf.io", @@ -51,6 +57,6 @@ "role": "roles/resourcemanager.projectDeleter" } ], - "etag": "BwWIgEd9TPI=", + "etag": "BwWLI_mG-qA=", "version": 1 } diff --git a/audit/cncf-org.policy.yaml b/audit/cncf-org.policy.yaml index dd619f22eeb..532d63d8994 100644 --- a/audit/cncf-org.policy.yaml +++ b/audit/cncf-org.policy.yaml @@ -1,4 +1,7 @@ bindings: +- members: + - group:k8s-infra-gcp-accounting@kubernetes.io + role: organizations/758905017065/roles/CustomRole - members: - user:ihor@cncf.io - user:thockin@google.com @@ -28,5 +31,5 @@ bindings: - members: - user:thockin@google.com role: roles/resourcemanager.projectDeleter -etag: BwWIgEd9TPI= +etag: BwWLI_mG-qA= version: 1 diff --git a/audit/cncf-org.roles.json b/audit/cncf-org.roles.json index fe51488c706..d9b947c5317 100644 --- a/audit/cncf-org.roles.json +++ b/audit/cncf-org.roles.json @@ -1 +1,9 @@ -[] +[ + { + "description": "Can view billing info", + "etag": "BwWLI_e8Xyo=", + "name": "organizations/758905017065/roles/CustomRole", + "stage": "GA", + "title": "Billing Viewer" + } +] diff --git a/audit/cncf-org.roles.yaml b/audit/cncf-org.roles.yaml index e69de29bb2d..714334907b7 100644 --- a/audit/cncf-org.roles.yaml +++ b/audit/cncf-org.roles.yaml @@ -0,0 +1,6 @@ +--- +description: Can view billing info +etag: BwWLI_e8Xyo= +name: organizations/758905017065/roles/CustomRole +stage: GA +title: Billing Viewer diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.json b/audit/k8s-infra-dev-cluster-turnup.policy.json index 738827a8205..f0629c96434 100644 --- a/audit/k8s-infra-dev-cluster-turnup.policy.json +++ b/audit/k8s-infra-dev-cluster-turnup.policy.json @@ -1,5 +1,11 @@ { "bindings": [ + { + "members": [ + "serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com" + ], + "role": "roles/cloudscheduler.serviceAgent" + }, { "members": [ "serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com" @@ -17,19 +23,21 @@ "serviceAccount:396460694993-compute@developer.gserviceaccount.com", "serviceAccount:396460694993@cloudservices.gserviceaccount.com", "serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com", - "user:ameukam@gmail.com", - "user:hh@ii.coop", "user:justinsb@google.com" ], "role": "roles/editor" }, { "members": [ + "user:ameukam@gmail.com", + "user:cblecker@gmail.com", + "user:davanum@gmail.com", + "user:hh@ii.coop", "user:thockin@google.com" ], "role": "roles/owner" } ], - "etag": "BwWH5GlZ_14=", + "etag": "BwWLKUjb2zw=", "version": 1 } diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.yaml b/audit/k8s-infra-dev-cluster-turnup.policy.yaml index dc34764cb68..62a72292373 100644 --- a/audit/k8s-infra-dev-cluster-turnup.policy.yaml +++ b/audit/k8s-infra-dev-cluster-turnup.policy.yaml @@ -1,4 +1,7 @@ bindings: +- members: + - serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com + role: roles/cloudscheduler.serviceAgent - members: - serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com role: roles/compute.serviceAgent @@ -9,12 +12,14 @@ bindings: - serviceAccount:396460694993-compute@developer.gserviceaccount.com - serviceAccount:396460694993@cloudservices.gserviceaccount.com - serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com - - user:ameukam@gmail.com - - user:hh@ii.coop - user:justinsb@google.com role: roles/editor - members: + - user:ameukam@gmail.com + - user:cblecker@gmail.com + - user:davanum@gmail.com + - user:hh@ii.coop - user:thockin@google.com role: roles/owner -etag: BwWH5GlZ_14= +etag: BwWLKUjb2zw= version: 1 diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.json b/audit/k8s-infra-dev-cluster-turnup.roles.json index fe51488c706..74a8438cf80 100644 --- a/audit/k8s-infra-dev-cluster-turnup.roles.json +++ b/audit/k8s-infra-dev-cluster-turnup.roles.json @@ -1 +1,9 @@ -[] +[ + { + "description": "Can list ServiceAccounts.", + "etag": "BwWLKJVqdYA=", + "name": "projects/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" + } +] diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.yaml b/audit/k8s-infra-dev-cluster-turnup.roles.yaml index e69de29bb2d..b24a7665e39 100644 --- a/audit/k8s-infra-dev-cluster-turnup.roles.yaml +++ b/audit/k8s-infra-dev-cluster-turnup.roles.yaml @@ -0,0 +1,6 @@ +--- +description: Can list ServiceAccounts. +etag: BwWLKJVqdYA= +name: projects/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister +stage: GA +title: Service Account Lister diff --git a/audit/kubernetes-public.policy.json b/audit/kubernetes-public.policy.json index 2e3b78b51b5..36fa00e93ee 100644 --- a/audit/kubernetes-public.policy.json +++ b/audit/kubernetes-public.policy.json @@ -55,6 +55,18 @@ ], "role": "roles/editor" }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/iam.roleAdmin" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/iam.securityAdmin" + }, { "members": [ "serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com" @@ -82,6 +94,6 @@ "role": "roles/owner" } ], - "etag": "BwWIeZ1EG7o=", + "etag": "BwWLI83k-Rw=", "version": 1 } diff --git a/audit/kubernetes-public.policy.yaml b/audit/kubernetes-public.policy.yaml index c841c7a5661..20665028034 100644 --- a/audit/kubernetes-public.policy.yaml +++ b/audit/kubernetes-public.policy.yaml @@ -27,6 +27,12 @@ bindings: - serviceAccount:127754664067-compute@developer.gserviceaccount.com - serviceAccount:127754664067@cloudservices.gserviceaccount.com role: roles/editor +- members: + - user:thockin@google.com + role: roles/iam.roleAdmin +- members: + - user:thockin@google.com + role: roles/iam.securityAdmin - members: - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com role: roles/logging.logWriter @@ -41,5 +47,5 @@ bindings: - user:ihor@cncf.io - user:thockin@google.com role: roles/owner -etag: BwWIeZ1EG7o= +etag: BwWLI83k-Rw= version: 1 diff --git a/audit/kubernetes-public.roles.json b/audit/kubernetes-public.roles.json index 535f2a65076..0ac7d704b3d 100644 --- a/audit/kubernetes-public.roles.json +++ b/audit/kubernetes-public.roles.json @@ -5,12 +5,5 @@ "name": "projects/kubernetes-public/roles/ServiceAccountLister", "stage": "GA", "title": "Service Account Lister" - }, - { - "description": "delete me 1", - "etag": "BwWIfSRcpWU=", - "name": "projects/kubernetes-public/roles/ThockinTest1", - "stage": "GA", - "title": "delete me 1" } ] diff --git a/audit/kubernetes-public.roles.yaml b/audit/kubernetes-public.roles.yaml index 11bc4bb8c95..78fd69929d7 100644 --- a/audit/kubernetes-public.roles.yaml +++ b/audit/kubernetes-public.roles.yaml @@ -4,9 +4,3 @@ etag: BwV_JE8PWv4= name: projects/kubernetes-public/roles/ServiceAccountLister stage: GA title: Service Account Lister ---- -description: delete me 1 -etag: BwWIfSRcpWU= -name: projects/kubernetes-public/roles/ThockinTest1 -stage: GA -title: delete me 1 From f69ba5ce680ce446084e801ccd44bf0f4edd69f8 Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Sun, 16 Jun 2019 06:59:48 +1200 Subject: [PATCH 5/7] Iterate over enabled services --- audit/README.md | 2 +- audit/audit-gcp.sh | 102 +++- ...-public.kubernetes_public_billing.iam.json | 24 + ...etes-public.kubernetes_public_billing.txt} | 0 audit/cncf-org.policy.yaml | 35 -- audit/cncf-org.roles.yaml | 6 - .../k8s-infra-dev-cluster-turnup.info.json | 49 ++ .../k8s-infra-dev-cluster-turnup.zones.json | 1 + audit/dns/kubernetes-public.info.json | 49 ++ audit/dns/kubernetes-public.zones.json | 96 ++++ ...k8s-infra-dev-cluster-turnup.clusters.json | 1 + .../k8s-infra-dev-cluster-turnup.policy.json | 20 +- .../k8s-infra-dev-cluster-turnup.policy.yaml | 25 - audit/k8s-infra-dev-cluster-turnup.roles.yaml | 6 - .../ServiceAccountLister.json | 10 + ...k8s-infra-dev-cluster-turnup.services.json | 473 ++++++++++++++++++ audit/kubernetes-public.clusters.json | 176 +++++++ audit/kubernetes-public.policy.yaml | 51 -- audit/kubernetes-public.roles.yaml | 6 - .../ServiceAccountLister.json | 10 + audit/kubernetes-public.services.json | 146 ++++++ 21 files changed, 1130 insertions(+), 158 deletions(-) create mode 100644 audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json rename audit/buckets/{kubernetes_public_billing.txt => kubernetes-public.kubernetes_public_billing.txt} (100%) delete mode 100644 audit/cncf-org.policy.yaml delete mode 100644 audit/cncf-org.roles.yaml create mode 100644 audit/dns/k8s-infra-dev-cluster-turnup.info.json create mode 100644 audit/dns/k8s-infra-dev-cluster-turnup.zones.json create mode 100644 audit/dns/kubernetes-public.info.json create mode 100644 audit/dns/kubernetes-public.zones.json create mode 100644 audit/k8s-infra-dev-cluster-turnup.clusters.json delete mode 100644 audit/k8s-infra-dev-cluster-turnup.policy.yaml delete mode 100644 audit/k8s-infra-dev-cluster-turnup.roles.yaml create mode 100644 audit/k8s-infra-dev-cluster-turnup.roles/ServiceAccountLister.json create mode 100644 audit/k8s-infra-dev-cluster-turnup.services.json create mode 100644 audit/kubernetes-public.clusters.json delete mode 100644 audit/kubernetes-public.policy.yaml delete mode 100644 audit/kubernetes-public.roles.yaml create mode 100644 audit/kubernetes-public.roles/ServiceAccountLister.json create mode 100644 audit/kubernetes-public.services.json diff --git a/audit/README.md b/audit/README.md index b75805c68e3..9f54754b27b 100644 --- a/audit/README.md +++ b/audit/README.md @@ -3,7 +3,7 @@ ## Status WIP. Members of k8s-infra-gcp-auditors should be able to run this script to submit an audit PR. -Note this is an Audit of current configuration, not a requset for change. +Note this is an Audit of current configuration, not a request for change. ## How to become an auditor diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index dd8480b1d8f..832a0674c1e 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -6,34 +6,82 @@ CNCF_GCP_ORG=758905017065 # ERROR: (gcloud.organizations.describe) # User [hh@ii.coop] does not have permission to access organization [] -for format in json yaml -do - gcloud iam roles list --organization=$CNCF_GCP_ORG --format=$format \ - > cncf-org.roles.$format - gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ - > cncf-org.policy.$format - gcloud projects list \ - --filter "parent.id=$CNCF_GCP_ORG" \ - --format "value(name, projectNumber)" \ - | while read NAME NUM; do \ - gcloud projects get-iam-policy $NAME --format=$format > $NAME.policy.$format - gcloud iam roles list --project=$NAME --format=$format > $NAME.roles.$format - mkdir -p roles - for ROLE_PATH in `gcloud --project=$NAME iam roles list --format="value(name)"` - do - ROLE=`basename $ROLE_PATH` - gcloud --project=$NAME iam roles describe $ROLE \ - --format=json > roles/$ROLE.json - done - +format=json +gcloud iam roles list --organization=$CNCF_GCP_ORG --format=$format \ + > cncf-org.roles.$format +gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ + > cncf-org.policy.$format +gcloud projects list \ + --filter "parent.id=$CNCF_GCP_ORG" \ + --format "value(name, projectNumber)" \ + | while read PROJECT NUM; do \ + export CLOUDSDK_CORE_PROJECT=$PROJECT + gcloud projects get-iam-policy $PROJECT --format=$format > $PROJECT.policy.$format + gcloud iam roles list --project $PROJECT --format=$format > $PROJECT.roles.$format + mkdir -p $PROJECT.roles + for ROLE_PATH in `gcloud iam roles list --project $PROJECT --format="value(name)"` + do + ROLE=`basename $ROLE_PATH` + gcloud iam roles --project=$PROJECT describe $ROLE \ + --format=json > $PROJECT.roles/$ROLE.json + done + gcloud services list --filter state:ENABLED --format=$format > $PROJECT.services.$format + for service in `gcloud services list --filter state:ENABLED --format=json | jq -r .[].config.name` + do + case $service in + compute.googleapis.com) + echo TODO: Needs compute.projects.get + #### gcloud compute project-info describe + #### gcloud compute instances list --format=$format > $PROJECT.compute.instances.$format + #### gcloud compute disks list --format=$format > $PROJECT.compute.disks.$format + # I'm ensure why we see this when container.googleapis.com is DISABLED + gcloud container clusters list --format=$format > $PROJECT.clusters.$format + ;; + dns.googleapis.com) + mkdir -p dns + gcloud dns project-info describe $PROJECT --format=$format > dns/$PROJECT.info.$format + gcloud dns managed-zones list --format=$format > dns/$PROJECT.zones.$format + ;; + logging.googleapis.com) + echo TODO: Needs serviceusage.services.use + ##### gcloud logging logs list --format=$format > $PROJECT.logging.logs.$format + ##### gcloud logging metrics list + ##### gcloud logging sinks list + ;; + monitoring.googleapis.com) + echo TODO: Needs serviceusage.services.use + #### gcloud alpha monitoring policies list + #### gcloud alpha monitoring channels list + #### gcloud alpha monitoring channel-descriptors list + ;; + oslogin.googleapis.com) + echo TODO: Verify how OS Login is configured / audited + ;; + bigquery-json.googleapis.com) + echo TODO: Verify how Big Query is configured / audited + ;; + storage-api.googleapis.com) + echo TODO: Add storage.buckets.get for auditors + echo ...to kubernetes_public_billing and any newer buckets... + echo TODO: Ensure bucket-policy-only, for simplicity in Auditing + # https://cloud.google.com/storage/docs/bucket-policy-only + mkdir -p buckets + for BUCKET in `gsutil ls -p $PROJECT | awk -F/ '{print $3}'` + do + #### gsutil bucketpolicyonly get gs://$BUCKET/ + #### gsutil cors get gs://$BUCKET/ + #### gsutil logging get gs://$BUCKET/ + gsutil iam get gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.iam.json + gsutil ls -r gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.txt + done + ;; + storage-component.googleapis.com) + ;; + *) + echo ***** Unhandled Service ***** + ;; + esac done -done - -# List of objets in buckets -mkdir -p buckets -for BUCKET in `gsutil ls -p kubernetes-public | awk -F/ '{print $3}'` -do - gsutil ls -r gs://$BUCKET/ > buckets/$BUCKET.txt done diff --git a/audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json b/audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json new file mode 100644 index 00000000000..b4c4fb5e65f --- /dev/null +++ b/audit/buckets/kubernetes-public.kubernetes_public_billing.iam.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "projectEditor:kubernetes-public", + "projectOwner:kubernetes-public" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:kubernetes-public" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "serviceAccount:509219875288-kscf0cheafmf4f6tp1auij5me8qakbin@developer.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketWriter" + } + ], + "etag": "CAU=" +} diff --git a/audit/buckets/kubernetes_public_billing.txt b/audit/buckets/kubernetes-public.kubernetes_public_billing.txt similarity index 100% rename from audit/buckets/kubernetes_public_billing.txt rename to audit/buckets/kubernetes-public.kubernetes_public_billing.txt diff --git a/audit/cncf-org.policy.yaml b/audit/cncf-org.policy.yaml deleted file mode 100644 index 532d63d8994..00000000000 --- a/audit/cncf-org.policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -bindings: -- members: - - group:k8s-infra-gcp-accounting@kubernetes.io - role: organizations/758905017065/roles/CustomRole -- members: - - user:ihor@cncf.io - - user:thockin@google.com - - user:twaggoner@linuxfoundation.org - role: roles/billing.admin -- members: - - domain:kubernetes.io - - user:ihor@cncf.io - - user:thockin@google.com - role: roles/billing.creator -- members: - - user:thockin@google.com - role: roles/iam.organizationRoleAdmin -- members: - - group:k8s-infra-gcp-auditors@kubernetes.io - role: roles/iam.securityReviewer -- members: - - user:domain-admin-lf@kubernetes.io - - user:ihor@cncf.io - - user:thockin@google.com - - user:twaggoner@linuxfoundation.org - role: roles/resourcemanager.organizationAdmin -- members: - - domain:kubernetes.io - - user:thockin@google.com - role: roles/resourcemanager.projectCreator -- members: - - user:thockin@google.com - role: roles/resourcemanager.projectDeleter -etag: BwWLI_mG-qA= -version: 1 diff --git a/audit/cncf-org.roles.yaml b/audit/cncf-org.roles.yaml deleted file mode 100644 index 714334907b7..00000000000 --- a/audit/cncf-org.roles.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -description: Can view billing info -etag: BwWLI_e8Xyo= -name: organizations/758905017065/roles/CustomRole -stage: GA -title: Billing Viewer diff --git a/audit/dns/k8s-infra-dev-cluster-turnup.info.json b/audit/dns/k8s-infra-dev-cluster-turnup.info.json new file mode 100644 index 00000000000..2035859c800 --- /dev/null +++ b/audit/dns/k8s-infra-dev-cluster-turnup.info.json @@ -0,0 +1,49 @@ +{ + "id": "k8s-infra-dev-cluster-turnup", + "kind": "dns#project", + "number": "396460694993", + "quota": { + "dnsKeysPerManagedZone": 4, + "kind": "dns#quota", + "managedZones": 10000, + "managedZonesPerNetwork": 10000, + "networksPerManagedZone": 100, + "resourceRecordsPerRrset": 100, + "rrsetAdditionsPerChange": 1000, + "rrsetDeletionsPerChange": 1000, + "rrsetsPerManagedZone": 10000, + "totalRrdataSizePerChange": 100000, + "whitelistedKeySpecs": [ + { + "algorithm": "ecdsap256sha256", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "ecdsap384sha384", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ] + } +} diff --git a/audit/dns/k8s-infra-dev-cluster-turnup.zones.json b/audit/dns/k8s-infra-dev-cluster-turnup.zones.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/dns/k8s-infra-dev-cluster-turnup.zones.json @@ -0,0 +1 @@ +[] diff --git a/audit/dns/kubernetes-public.info.json b/audit/dns/kubernetes-public.info.json new file mode 100644 index 00000000000..b1ae8ea5db3 --- /dev/null +++ b/audit/dns/kubernetes-public.info.json @@ -0,0 +1,49 @@ +{ + "id": "kubernetes-public", + "kind": "dns#project", + "number": "127754664067", + "quota": { + "dnsKeysPerManagedZone": 4, + "kind": "dns#quota", + "managedZones": 10000, + "managedZonesPerNetwork": 10000, + "networksPerManagedZone": 100, + "resourceRecordsPerRrset": 100, + "rrsetAdditionsPerChange": 1000, + "rrsetDeletionsPerChange": 1000, + "rrsetsPerManagedZone": 10000, + "totalRrdataSizePerChange": 100000, + "whitelistedKeySpecs": [ + { + "algorithm": "ecdsap256sha256", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "ecdsap384sha384", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ] + } +} diff --git a/audit/dns/kubernetes-public.zones.json b/audit/dns/kubernetes-public.zones.json new file mode 100644 index 00000000000..8d288ff4359 --- /dev/null +++ b/audit/dns/kubernetes-public.zones.json @@ -0,0 +1,96 @@ +[ + { + "creationTime": "2018-10-09T16:18:27.446Z", + "description": "", + "dnsName": "canary.k8s.io.", + "id": "7690509341659612964", + "kind": "dns#managedZone", + "name": "canary-k8s-io", + "nameServers": [ + "ns-cloud-c1.googledomains.com.", + "ns-cloud-c2.googledomains.com.", + "ns-cloud-c3.googledomains.com.", + "ns-cloud-c4.googledomains.com." + ] + }, + { + "creationTime": "2018-10-09T16:19:40.004Z", + "description": "", + "dnsName": "canary.kubernetes.io.", + "id": "4193576254815248920", + "kind": "dns#managedZone", + "name": "canary-kubernetes-io", + "nameServers": [ + "ns-cloud-b1.googledomains.com.", + "ns-cloud-b2.googledomains.com.", + "ns-cloud-b3.googledomains.com.", + "ns-cloud-b4.googledomains.com." + ] + }, + { + "creationTime": "2018-09-07T15:08:37.689Z", + "description": "", + "dnsName": "k8s.io.", + "dnssecConfig": { + "defaultKeySpecs": [ + { + "algorithm": "rsasha256", + "keyLength": 2048, + "keyType": "keySigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ], + "kind": "dns#managedZoneDnsSecConfig", + "nonExistence": "nsec3", + "state": "off" + }, + "id": "8257163024921094127", + "kind": "dns#managedZone", + "name": "k8s-io", + "nameServers": [ + "ns-cloud-d1.googledomains.com.", + "ns-cloud-d2.googledomains.com.", + "ns-cloud-d3.googledomains.com.", + "ns-cloud-d4.googledomains.com." + ] + }, + { + "creationTime": "2018-09-06T16:58:36.444Z", + "description": "", + "dnsName": "kubernetes.io.", + "dnssecConfig": { + "defaultKeySpecs": [ + { + "algorithm": "rsasha256", + "keyLength": 2048, + "keyType": "keySigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ], + "kind": "dns#managedZoneDnsSecConfig", + "nonExistence": "nsec3", + "state": "off" + }, + "id": "8283179273191389843", + "kind": "dns#managedZone", + "name": "kubernetes-io", + "nameServers": [ + "ns-cloud-a1.googledomains.com.", + "ns-cloud-a2.googledomains.com.", + "ns-cloud-a3.googledomains.com.", + "ns-cloud-a4.googledomains.com." + ] + } +] diff --git a/audit/k8s-infra-dev-cluster-turnup.clusters.json b/audit/k8s-infra-dev-cluster-turnup.clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.json b/audit/k8s-infra-dev-cluster-turnup.policy.json index f0629c96434..e6036cd7db5 100644 --- a/audit/k8s-infra-dev-cluster-turnup.policy.json +++ b/audit/k8s-infra-dev-cluster-turnup.policy.json @@ -1,5 +1,11 @@ { "bindings": [ + { + "members": [ + "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + ], + "role": "roles/browser" + }, { "members": [ "serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com" @@ -36,8 +42,20 @@ "user:thockin@google.com" ], "role": "roles/owner" + }, + { + "members": [ + "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + ], + "role": "roles/storage.admin" + }, + { + "members": [ + "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + ], + "role": "roles/viewer" } ], - "etag": "BwWLKUjb2zw=", + "etag": "BwWLYUm4FJE=", "version": 1 } diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.yaml b/audit/k8s-infra-dev-cluster-turnup.policy.yaml deleted file mode 100644 index 62a72292373..00000000000 --- a/audit/k8s-infra-dev-cluster-turnup.policy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -bindings: -- members: - - serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com - role: roles/cloudscheduler.serviceAgent -- members: - - serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com - role: roles/compute.serviceAgent -- members: - - serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com - role: roles/container.serviceAgent -- members: - - serviceAccount:396460694993-compute@developer.gserviceaccount.com - - serviceAccount:396460694993@cloudservices.gserviceaccount.com - - serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com - - user:justinsb@google.com - role: roles/editor -- members: - - user:ameukam@gmail.com - - user:cblecker@gmail.com - - user:davanum@gmail.com - - user:hh@ii.coop - - user:thockin@google.com - role: roles/owner -etag: BwWLKUjb2zw= -version: 1 diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.yaml b/audit/k8s-infra-dev-cluster-turnup.roles.yaml deleted file mode 100644 index b24a7665e39..00000000000 --- a/audit/k8s-infra-dev-cluster-turnup.roles.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -description: Can list ServiceAccounts. -etag: BwWLKJVqdYA= -name: projects/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister -stage: GA -title: Service Account Lister diff --git a/audit/k8s-infra-dev-cluster-turnup.roles/ServiceAccountLister.json b/audit/k8s-infra-dev-cluster-turnup.roles/ServiceAccountLister.json new file mode 100644 index 00000000000..fa63b7c21ad --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.roles/ServiceAccountLister.json @@ -0,0 +1,10 @@ +{ + "description": "Can list ServiceAccounts.", + "etag": "BwWLKJVqdYA=", + "includedPermissions": [ + "iam.serviceAccounts.list" + ], + "name": "projects/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" +} diff --git a/audit/k8s-infra-dev-cluster-turnup.services.json b/audit/k8s-infra-dev-cluster-turnup.services.json new file mode 100644 index 00000000000..f67d288b959 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup.services.json @@ -0,0 +1,473 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "API for reading and writing the contents of Bigtables associated with a cloud project." + }, + "name": "bigtable.googleapis.com", + "quota": {}, + "title": "Cloud Bigtable API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/bigtable.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Administer your Cloud Bigtable tables and instances." + }, + "name": "bigtableadmin.googleapis.com", + "quota": {}, + "title": "Cloud Bigtable Admin API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/bigtableadmin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates, reads, and updates metadata for Google Cloud Platform resource containers." + }, + "name": "cloudresourcemanager.googleapis.com", + "quota": {}, + "title": "Cloud Resource Manager API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/cloudresourcemanager.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and manages jobs run on a regular recurring schedule." + }, + "name": "cloudscheduler.googleapis.com", + "quota": {}, + "title": "Cloud Scheduler API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/cloudscheduler.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Builds and manages container-based applications, powered by the open source Kubernetes technology." + }, + "name": "container.googleapis.com", + "quota": {}, + "title": "Kubernetes Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/container.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "The Google Cloud Deployment Manager V2 API provides services for configuring, deploying, and\nviewing Google Cloud services and APIs via templates which specify deployments of Cloud\nresources." + }, + "name": "deploymentmanager.googleapis.com", + "quota": {}, + "title": "Cloud Deployment Manager V2 API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/deploymentmanager.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": {}, + "name": "dns.googleapis.com", + "quota": {}, + "title": "Google Cloud DNS API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/dns.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls." + }, + "name": "iam.googleapis.com", + "quota": {}, + "title": "Identity and Access Management (IAM) API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/iam.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates short-lived, limited-privilege credentials for IAM service accounts." + }, + "name": "iamcredentials.googleapis.com", + "quota": {}, + "title": "IAM Service Account Credentials API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/iamcredentials.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides users with programmatic access to Stackdriver endpoints that allow putting VM instances and other resources into maintenance mode." + }, + "name": "stackdriver.googleapis.com", + "quota": {}, + "title": "Stackdriver API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/stackdriver.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/396460694993/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/kubernetes-public.clusters.json b/audit/kubernetes-public.clusters.json new file mode 100644 index 00000000000..39eb4c01a2c --- /dev/null +++ b/audit/kubernetes-public.clusters.json @@ -0,0 +1,176 @@ +[ + { + "addonsConfig": { + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "clusterIpv4Cidr": "10.36.0.0/14", + "createTime": "2019-01-09T06:05:43+00:00", + "currentMasterVersion": "1.11.8-gke.6", + "currentNodeCount": 1, + "currentNodeVersion": "1.11.6-gke.6 *", + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "35.239.45.204", + "initialClusterVersion": "1.11.5-gke.5", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/kubernetes-public/zones/us-central1-a/instanceGroupManagers/gke-development-workers-0752e761-grp" + ], + "labelFingerprint": "a9dc16a7", + "legacyAbac": {}, + "location": "us-central1-a", + "locations": [ + "us-central1-a" + ], + "loggingService": "logging.googleapis.com", + "masterAuth": { + "clusterCaCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRRExpeVVtSG1wcHhxLzZjSFhuaVVnakFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRd1lXTXlNREV3TUMwMk5ESmpMVFEyWW1RdE9XSmtZeTB3TVRZeU5UZzJaRFl5T0RZdwpIaGNOTVRrd01UQTVNRFV3TlRReldoY05NalF3TVRBNE1EWXdOVFF6V2pBdk1TMHdLd1lEVlFRREV5UXdZV015Ck1ERXdNQzAyTkRKakxUUTJZbVF0T1dKa1l5MHdNVFl5TlRnMlpEWXlPRFl3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURQTm9tQUZzU0I4NTA4aFZ2dDlRVEVoM0FxTlJMdzBpUk9mNG8xT1ZPTwpZT1p0MS9VOEpBclVpcktVcGNBSWdmYXluczczaFNZem9wazhwOFJSVEdnWXovVTZyaHpzejA4WFJ4ZWdXTWZtCnFQbGhkMnJNaTNpaDA0N3BZdDZvWEhxbXRhOTFrV3c4UHl0WndqZFNjKzB3anFuZTVjckg0ckVOSk1DL010d0wKOFVwdFF2VURsamlpZElnS29DRUdTSzRENld0Q0RoamtVSWllUkRBbkk1TEJVWC9QanVFMnRYc2ZHRndxVmVUcwpXZThHS1UzZm10QnNwZGdSam5nYmg4aE9Hd1dybUpaaW5RQlhhV0g0U0puZm4zVG9lR2tBMTdia0NkUC9seEY5CkpXYzlzQy9PVXVJdzd2UVVGUVdTNTF1S1dLL0JnT2psRmExZkJGTDc1b01yQWdNQkFBR2pJekFoTUE0R0ExVWQKRHdFQi93UUVBd0lDQkRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDdQpYQ3dheVE2YXNWNHdYMGphYWJiUWhhYVV6cjY2aUdmNWFjSFh3L0RkSXJLUGliT2V2Nm1SV1VkQk9hN1E3VDdrCnRnYkNlZnFsS0RZL0RLVk4wS0swOENOd0JwZXllUmxZaXpvdDI0ZGJjVEs1cmFxbUdjclc5L1M2OVdaTmFHc3UKa3lZTWh2dXllZXJpWEVtQ2NiSDRTa1hNQXFOcjI3RzM0UDh4ZThUdTVMRkQvMUxpTzd3eUFIbFFEbEczZ3ZGMApLVG9mOENwMVhUQ1NVZk51UTNKd2ZpLzJNRWVFYk5aczFMZnpLdHk1WjJ5aHVPMWVSWDViOGlXanBBcXdYcTVECjljRGlUZWVXRzg1M0paczV6RXdjV3p5MUVTeEt6UDlDYS9KMTJzMFFVSVQ1TlVhQUJXaDBzQ29oSUZPUTgraGMKam10LzY0L202Q000bENlNGpza2UKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + }, + "monitoringService": "monitoring.googleapis.com", + "name": "development", + "network": "default", + "networkConfig": { + "network": "projects/kubernetes-public/global/networks/default", + "subnetwork": "projects/kubernetes-public/regions/us-central1/subnetworks/default" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS", + "machineType": "n1-standard-4", + "oauthScopes": [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring" + ], + "serviceAccount": "k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + }, + "nodeIpv4CidrSize": 24, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "maxNodeCount": 4, + "minNodeCount": 1 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS", + "machineType": "n1-standard-4", + "oauthScopes": [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring" + ], + "serviceAccount": "k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + }, + "initialNodeCount": 1, + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/kubernetes-public/zones/us-central1-a/instanceGroupManagers/gke-development-workers-0752e761-grp" + ], + "management": {}, + "name": "workers", + "podIpv4CidrSize": 24, + "selfLink": "https://container.googleapis.com/v1/projects/kubernetes-public/zones/us-central1-a/clusters/development/nodePools/workers", + "status": "RUNNING", + "version": "1.11.6-gke.6" + } + ], + "selfLink": "https://container.googleapis.com/v1/projects/kubernetes-public/zones/us-central1-a/clusters/development", + "servicesIpv4Cidr": "10.39.240.0/20", + "status": "RUNNING", + "subnetwork": "default", + "zone": "us-central1-a" + }, + { + "addonsConfig": { + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "clusterIpv4Cidr": "10.48.0.0/14", + "createTime": "2019-03-09T04:16:34+00:00", + "currentMasterVersion": "1.11.8-gke.6", + "currentNodeCount": 1, + "currentNodeVersion": "1.11.6-gke.6 *", + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "146.148.105.105", + "initialClusterVersion": "1.11.6-gke.6", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/kubernetes-public/zones/us-central1-b/instanceGroupManagers/gke-development2-workers-03baa44e-grp" + ], + "labelFingerprint": "a9dc16a7", + "legacyAbac": {}, + "location": "us-central1-b", + "locations": [ + "us-central1-b" + ], + "loggingService": "logging.googleapis.com", + "masterAuth": { + "clusterCaCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lRTU1obmpGaGdWMFlOaWJjemU5VFhIekFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlSak0yVm1OVGM0WmkwMU1qWTJMVFEyTTJVdE9EUXlaQzFtTm1RME1EZzJOV1ZqTURJdwpIaGNOTVRrd016QTVNRE14TmpNMFdoY05NalF3TXpBM01EUXhOak0wV2pBdk1TMHdLd1lEVlFRREV5UmpNMlZtCk5UYzRaaTAxTWpZMkxUUTJNMlV0T0RReVpDMW1ObVEwTURnMk5XVmpNREl3Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNqbCs0SVJvL0NDYmVaM0hGMmEzK285aXNmK1ZMYUZQeE93OCt3WTlqbApVd2pLcEtMWnpnUmQ2Wmc3Z0gzRHRLMW5sNWxZSHpHNlppWUkyejAvR0s2TzBGY0diYWFieENsV0x3cVA5Y1ZLClZ6eUxRRWMxUmVOTEMvQUZFcUhOSzN4NXJHb0lWK2tBLy9rcVQ2RGJ2Y0hqdGE5NlBYMUFDbmxnNGh6aTE4cGoKa2NRbzFvT2swdkkvNDFyTkxEdDY1RjFhYjJNby9hRVdPdCtxUkxlZlZ1ZzdGRlE0ZXZDeFJuS3hWOS9qYm9VSwppRHQySWhMa3JGUFRZcnBOM1lwRFNUVExjNkhsRlZZMEhNVlM1a01yTlZ5Sk4ydW1kSS96N2RTN1c4aG1wYVcxCm51MHpnL0dzYWwyazZtM3BEaHArMm1xWFIxRVEzZUF1QUtvMWlBamZ1aGN2QWdNQkFBR2pJekFoTUE0R0ExVWQKRHdFQi93UUVBd0lDQkRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCbAoySXUvT0lpZjNobVdmdHl3TVlrZit4U1dZbGhWNXdielU3ejZyNE9LWGl3cmN6WmRCb2QxTlk2akZyREJwV3RxCmVjVVFIekF3eEhWOGNYRXVYNWtGOWFnaGt0Q1FNd21LaWxxSVdsMWRHZEdNZVdHcW85RTUwQnNlYmIyVE4rdGUKcjFNN1NZaFBNUHE3Z216blQ2akRqR3VnYVNtWDFXNnpoQ04rc3FuNVNpd1d1N0Y1U3BUK2pQUExJNjJPVmQvUAo4T0dSRm1XVGZpemFoY25nczNuQzRHbnovdS9RbTYvUnFPTEZPUDJIYlJZSVhyZ3RadnlraUpNdm1LVG01N00xCnZ3ZDBpN3Y4UWpmeFVvMFc3NGJjbkk2eVN3K0ZLcktQTlhhLytoeHBzNzVkRlk0eHd4RTd2QmJ0YmN4RXhZUjMKRktVQkdzaFhHRDdsQ0Y4U0NiUEEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" + }, + "monitoringService": "monitoring.googleapis.com", + "name": "development2", + "network": "default", + "networkConfig": { + "network": "projects/kubernetes-public/global/networks/default", + "subnetwork": "projects/kubernetes-public/regions/us-central1/subnetworks/default" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS", + "machineType": "n1-standard-4", + "oauthScopes": [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring" + ], + "serviceAccount": "k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + }, + "nodeIpv4CidrSize": 24, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "maxNodeCount": 4, + "minNodeCount": 1 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS", + "machineType": "n1-standard-4", + "oauthScopes": [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring" + ], + "serviceAccount": "k8s-nodes@kubernetes-public.iam.gserviceaccount.com" + }, + "initialNodeCount": 1, + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/kubernetes-public/zones/us-central1-b/instanceGroupManagers/gke-development2-workers-03baa44e-grp" + ], + "management": {}, + "name": "workers", + "podIpv4CidrSize": 24, + "selfLink": "https://container.googleapis.com/v1/projects/kubernetes-public/zones/us-central1-b/clusters/development2/nodePools/workers", + "status": "RUNNING", + "version": "1.11.6-gke.6" + } + ], + "selfLink": "https://container.googleapis.com/v1/projects/kubernetes-public/zones/us-central1-b/clusters/development2", + "servicesIpv4Cidr": "10.51.240.0/20", + "status": "RUNNING", + "subnetwork": "default", + "zone": "us-central1-b" + } +] diff --git a/audit/kubernetes-public.policy.yaml b/audit/kubernetes-public.policy.yaml deleted file mode 100644 index 20665028034..00000000000 --- a/audit/kubernetes-public.policy.yaml +++ /dev/null @@ -1,51 +0,0 @@ -bindings: -- members: - - group:k8s-infra-cluster-admins@googlegroups.com - role: projects/kubernetes-public/roles/ServiceAccountLister -- members: - - group:k8s-infra-bigquery-admins@googlegroups.com - role: roles/bigquery.admin -- members: - - group:k8s-infra-gcp-accounting@googlegroups.com - role: roles/bigquery.jobUser -- members: - - serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com - role: roles/compute.serviceAgent -- members: - - group:k8s-infra-cluster-admins@googlegroups.com - role: roles/compute.viewer -- members: - - group:k8s-infra-cluster-admins@googlegroups.com - role: roles/container.admin -- members: - - serviceAccount:service-127754664067@container-engine-robot.iam.gserviceaccount.com - role: roles/container.serviceAgent -- members: - - group:k8s-infra-dns-admins@googlegroups.com - role: roles/dns.admin -- members: - - serviceAccount:127754664067-compute@developer.gserviceaccount.com - - serviceAccount:127754664067@cloudservices.gserviceaccount.com - role: roles/editor -- members: - - user:thockin@google.com - role: roles/iam.roleAdmin -- members: - - user:thockin@google.com - role: roles/iam.securityAdmin -- members: - - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com - role: roles/logging.logWriter -- members: - - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com - role: roles/monitoring.metricWriter -- members: - - serviceAccount:k8s-nodes@kubernetes-public.iam.gserviceaccount.com - role: roles/monitoring.viewer -- members: - - user:domain-admin-lf@kubernetes.io - - user:ihor@cncf.io - - user:thockin@google.com - role: roles/owner -etag: BwWLI83k-Rw= -version: 1 diff --git a/audit/kubernetes-public.roles.yaml b/audit/kubernetes-public.roles.yaml deleted file mode 100644 index 78fd69929d7..00000000000 --- a/audit/kubernetes-public.roles.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -description: Can list ServiceAccounts. -etag: BwV_JE8PWv4= -name: projects/kubernetes-public/roles/ServiceAccountLister -stage: GA -title: Service Account Lister diff --git a/audit/kubernetes-public.roles/ServiceAccountLister.json b/audit/kubernetes-public.roles/ServiceAccountLister.json new file mode 100644 index 00000000000..291db59f931 --- /dev/null +++ b/audit/kubernetes-public.roles/ServiceAccountLister.json @@ -0,0 +1,10 @@ +{ + "description": "Can list ServiceAccounts.", + "etag": "BwV_JE8PWv4=", + "includedPermissions": [ + "iam.serviceAccounts.list" + ], + "name": "projects/kubernetes-public/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" +} diff --git a/audit/kubernetes-public.services.json b/audit/kubernetes-public.services.json new file mode 100644 index 00000000000..d1ebe5f8e79 --- /dev/null +++ b/audit/kubernetes-public.services.json @@ -0,0 +1,146 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/127754664067/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": {}, + "name": "dns.googleapis.com", + "quota": {}, + "title": "Google Cloud DNS API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/127754664067/services/dns.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] From 213582be39ee5b3f7f97b72dc979b2f5b62f08f7 Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Sun, 16 Jun 2019 13:11:31 +1200 Subject: [PATCH 6/7] Place each project in a subfolder --- audit/audit-gcp.sh | 76 +++++---- .../policy.json} | 8 +- .../roles.json} | 0 .../roles/ServiceAccountLister.json | 10 ++ .../services/clusters.json} | 0 .../services/dns.info.json | 49 ++++++ .../services/dns.zones.json | 1 + .../services/enabled.json} | 0 .../kubernetes_public_billing.iam.json | 24 +++ .../buckets/kubernetes_public_billing.txt | 156 ++++++++++++++++++ .../policy.json} | 0 .../roles.json} | 0 .../roles/ServiceAccountLister.json | 10 ++ .../services/clusters.json} | 0 .../kubernetes-public/services/dns.info.json | 49 ++++++ .../kubernetes-public/services/dns.zones.json | 96 +++++++++++ .../services/enabled.json} | 0 17 files changed, 444 insertions(+), 35 deletions(-) rename audit/{k8s-infra-dev-cluster-turnup.policy.json => k8s-infra-dev-cluster-turnup/policy.json} (89%) rename audit/{k8s-infra-dev-cluster-turnup.roles.json => k8s-infra-dev-cluster-turnup/roles.json} (100%) create mode 100644 audit/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister.json rename audit/{k8s-infra-dev-cluster-turnup.clusters.json => k8s-infra-dev-cluster-turnup/services/clusters.json} (100%) create mode 100644 audit/k8s-infra-dev-cluster-turnup/services/dns.info.json create mode 100644 audit/k8s-infra-dev-cluster-turnup/services/dns.zones.json rename audit/{k8s-infra-dev-cluster-turnup.services.json => k8s-infra-dev-cluster-turnup/services/enabled.json} (100%) create mode 100644 audit/kubernetes-public/buckets/kubernetes_public_billing.iam.json create mode 100644 audit/kubernetes-public/buckets/kubernetes_public_billing.txt rename audit/{kubernetes-public.policy.json => kubernetes-public/policy.json} (100%) rename audit/{kubernetes-public.roles.json => kubernetes-public/roles.json} (100%) create mode 100644 audit/kubernetes-public/roles/ServiceAccountLister.json rename audit/{kubernetes-public.clusters.json => kubernetes-public/services/clusters.json} (100%) create mode 100644 audit/kubernetes-public/services/dns.info.json create mode 100644 audit/kubernetes-public/services/dns.zones.json rename audit/{kubernetes-public.services.json => kubernetes-public/services/enabled.json} (100%) diff --git a/audit/audit-gcp.sh b/audit/audit-gcp.sh index 832a0674c1e..9c3f2df27b1 100755 --- a/audit/audit-gcp.sh +++ b/audit/audit-gcp.sh @@ -1,5 +1,5 @@ #!/bin/bash -set -x -e +# set -x -e CNCF_GCP_ORG=758905017065 # gcloud organizations describe $CNCF_GCP_ORG 2>&1 @@ -7,78 +7,86 @@ CNCF_GCP_ORG=758905017065 # User [hh@ii.coop] does not have permission to access organization [] format=json +echo "# Auditing CNCF CGP Org: ${CNCF_GCP_ORG} #" gcloud iam roles list --organization=$CNCF_GCP_ORG --format=$format \ > cncf-org.roles.$format gcloud organizations get-iam-policy $CNCF_GCP_ORG --format=$format \ > cncf-org.policy.$format +echo "## Iterating over Projects ##" gcloud projects list \ --filter "parent.id=$CNCF_GCP_ORG" \ --format "value(name, projectNumber)" \ | while read PROJECT NUM; do \ export CLOUDSDK_CORE_PROJECT=$PROJECT - gcloud projects get-iam-policy $PROJECT --format=$format > $PROJECT.policy.$format - gcloud iam roles list --project $PROJECT --format=$format > $PROJECT.roles.$format - mkdir -p $PROJECT.roles + echo "### Auditing Project: ${PROJECT} ###" + mkdir -p $PROJECT + gcloud projects get-iam-policy $PROJECT --format=$format > $PROJECT/policy.$format + gcloud iam roles list --project $PROJECT --format=$format > $PROJECT/roles.$format + mkdir -p $PROJECT/roles for ROLE_PATH in `gcloud iam roles list --project $PROJECT --format="value(name)"` do ROLE=`basename $ROLE_PATH` gcloud iam roles --project=$PROJECT describe $ROLE \ - --format=json > $PROJECT.roles/$ROLE.json + --format=json > $PROJECT/roles/$ROLE.json done - gcloud services list --filter state:ENABLED --format=$format > $PROJECT.services.$format - for service in `gcloud services list --filter state:ENABLED --format=json | jq -r .[].config.name` + echo "#### Iterating over ${PROJECT} Services: ####" + mkdir -p $PROJECT/services + gcloud services list --filter state:ENABLED --format=$format > $PROJECT/services/enabled.$format + for service in `gcloud services list --filter state:ENABLED --format=json \ + | jq -r .[].config.name | sed s:.googleapis.com::` do case $service in - compute.googleapis.com) - echo TODO: Needs compute.projects.get + compute) + echo TODO: $service Needs compute.projects.get #### gcloud compute project-info describe - #### gcloud compute instances list --format=$format > $PROJECT.compute.instances.$format - #### gcloud compute disks list --format=$format > $PROJECT.compute.disks.$format + #### gcloud compute instances list --format=$format > $PROJECT/services/compute.instances.$format + #### gcloud compute disks list --format=$format > $PROJECT/services/compute.disks.$format # I'm ensure why we see this when container.googleapis.com is DISABLED - gcloud container clusters list --format=$format > $PROJECT.clusters.$format + gcloud container clusters list --format=$format > $PROJECT/services/clusters.$format ;; - dns.googleapis.com) + dns) + echo Processing: $service mkdir -p dns - gcloud dns project-info describe $PROJECT --format=$format > dns/$PROJECT.info.$format - gcloud dns managed-zones list --format=$format > dns/$PROJECT.zones.$format + gcloud dns project-info describe $PROJECT --format=$format > $PROJECT/services/dns.info.$format + gcloud dns managed-zones list --format=$format > $PROJECT/services/dns.zones.$format ;; - logging.googleapis.com) - echo TODO: Needs serviceusage.services.use - ##### gcloud logging logs list --format=$format > $PROJECT.logging.logs.$format - ##### gcloud logging metrics list - ##### gcloud logging sinks list + logging) + echo TODO: $service needs serviceusage.services.use + ##### gcloud logging logs list --format=$format > $PROJECT/services/logging.logs.$format + ##### gcloud logging metrics list --format=$format > $PROJECT/services/logging.metrics.$format + ##### gcloud logging sinks list --format=$format > $PROJECT/services/logging.sinks.$format ;; - monitoring.googleapis.com) - echo TODO: Needs serviceusage.services.use - #### gcloud alpha monitoring policies list - #### gcloud alpha monitoring channels list - #### gcloud alpha monitoring channel-descriptors list + monitoring) + echo TODO: $service needs serviceusage.services.use + #### gcloud alpha monitoring policies list > $PROJECT/services/monitoring.policies.$format + #### gcloud alpha monitoring channels list > $PROJECT/services/monitoring.channels.$format + #### gcloud alpha monitoring channel-descriptors list > $PROJECT/services/monitoring.channel-descriptors.$format ;; - oslogin.googleapis.com) + oslogin) echo TODO: Verify how OS Login is configured / audited ;; - bigquery-json.googleapis.com) + bigquery-json) echo TODO: Verify how Big Query is configured / audited ;; - storage-api.googleapis.com) - echo TODO: Add storage.buckets.get for auditors + storage-api) + echo TODO: $service needs storage.buckets.get for auditors echo ...to kubernetes_public_billing and any newer buckets... echo TODO: Ensure bucket-policy-only, for simplicity in Auditing # https://cloud.google.com/storage/docs/bucket-policy-only - mkdir -p buckets + mkdir -p $PROJECT/buckets for BUCKET in `gsutil ls -p $PROJECT | awk -F/ '{print $3}'` do #### gsutil bucketpolicyonly get gs://$BUCKET/ #### gsutil cors get gs://$BUCKET/ #### gsutil logging get gs://$BUCKET/ - gsutil iam get gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.iam.json - gsutil ls -r gs://$BUCKET/ > buckets/$PROJECT.$BUCKET.txt + gsutil iam get gs://$BUCKET/ > $PROJECT/buckets/$BUCKET.iam.json + gsutil ls -r gs://$BUCKET/ > $PROJECT/buckets/$BUCKET.txt done ;; - storage-component.googleapis.com) + storage-component) ;; *) - echo ***** Unhandled Service ***** + echo "# Unhandled Service ${service} #" ;; esac done diff --git a/audit/k8s-infra-dev-cluster-turnup.policy.json b/audit/k8s-infra-dev-cluster-turnup/policy.json similarity index 89% rename from audit/k8s-infra-dev-cluster-turnup.policy.json rename to audit/k8s-infra-dev-cluster-turnup/policy.json index e6036cd7db5..70ff7c9b018 100644 --- a/audit/k8s-infra-dev-cluster-turnup.policy.json +++ b/audit/k8s-infra-dev-cluster-turnup/policy.json @@ -18,6 +18,12 @@ ], "role": "roles/compute.serviceAgent" }, + { + "members": [ + "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + ], + "role": "roles/container.clusterAdmin" + }, { "members": [ "serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com" @@ -56,6 +62,6 @@ "role": "roles/viewer" } ], - "etag": "BwWLYUm4FJE=", + "etag": "BwWLYvXsn1M=", "version": 1 } diff --git a/audit/k8s-infra-dev-cluster-turnup.roles.json b/audit/k8s-infra-dev-cluster-turnup/roles.json similarity index 100% rename from audit/k8s-infra-dev-cluster-turnup.roles.json rename to audit/k8s-infra-dev-cluster-turnup/roles.json diff --git a/audit/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister.json b/audit/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister.json new file mode 100644 index 00000000000..fa63b7c21ad --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister.json @@ -0,0 +1,10 @@ +{ + "description": "Can list ServiceAccounts.", + "etag": "BwWLKJVqdYA=", + "includedPermissions": [ + "iam.serviceAccounts.list" + ], + "name": "projects/k8s-infra-dev-cluster-turnup/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" +} diff --git a/audit/k8s-infra-dev-cluster-turnup.clusters.json b/audit/k8s-infra-dev-cluster-turnup/services/clusters.json similarity index 100% rename from audit/k8s-infra-dev-cluster-turnup.clusters.json rename to audit/k8s-infra-dev-cluster-turnup/services/clusters.json diff --git a/audit/k8s-infra-dev-cluster-turnup/services/dns.info.json b/audit/k8s-infra-dev-cluster-turnup/services/dns.info.json new file mode 100644 index 00000000000..2035859c800 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup/services/dns.info.json @@ -0,0 +1,49 @@ +{ + "id": "k8s-infra-dev-cluster-turnup", + "kind": "dns#project", + "number": "396460694993", + "quota": { + "dnsKeysPerManagedZone": 4, + "kind": "dns#quota", + "managedZones": 10000, + "managedZonesPerNetwork": 10000, + "networksPerManagedZone": 100, + "resourceRecordsPerRrset": 100, + "rrsetAdditionsPerChange": 1000, + "rrsetDeletionsPerChange": 1000, + "rrsetsPerManagedZone": 10000, + "totalRrdataSizePerChange": 100000, + "whitelistedKeySpecs": [ + { + "algorithm": "ecdsap256sha256", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "ecdsap384sha384", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ] + } +} diff --git a/audit/k8s-infra-dev-cluster-turnup/services/dns.zones.json b/audit/k8s-infra-dev-cluster-turnup/services/dns.zones.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-infra-dev-cluster-turnup/services/dns.zones.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-infra-dev-cluster-turnup.services.json b/audit/k8s-infra-dev-cluster-turnup/services/enabled.json similarity index 100% rename from audit/k8s-infra-dev-cluster-turnup.services.json rename to audit/k8s-infra-dev-cluster-turnup/services/enabled.json diff --git a/audit/kubernetes-public/buckets/kubernetes_public_billing.iam.json b/audit/kubernetes-public/buckets/kubernetes_public_billing.iam.json new file mode 100644 index 00000000000..b4c4fb5e65f --- /dev/null +++ b/audit/kubernetes-public/buckets/kubernetes_public_billing.iam.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "projectEditor:kubernetes-public", + "projectOwner:kubernetes-public" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:kubernetes-public" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "serviceAccount:509219875288-kscf0cheafmf4f6tp1auij5me8qakbin@developer.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketWriter" + } + ], + "etag": "CAU=" +} diff --git a/audit/kubernetes-public/buckets/kubernetes_public_billing.txt b/audit/kubernetes-public/buckets/kubernetes_public_billing.txt new file mode 100644 index 00000000000..a9528660674 --- /dev/null +++ b/audit/kubernetes-public/buckets/kubernetes_public_billing.txt @@ -0,0 +1,156 @@ +gs://kubernetes_public_billing/billing--2019-01-10.csv +gs://kubernetes_public_billing/billing--2019-01-11.csv +gs://kubernetes_public_billing/billing--2019-01-12.csv +gs://kubernetes_public_billing/billing--2019-01-13.csv +gs://kubernetes_public_billing/billing--2019-01-14.csv +gs://kubernetes_public_billing/billing--2019-01-15.csv +gs://kubernetes_public_billing/billing--2019-01-16.csv +gs://kubernetes_public_billing/billing--2019-01-17.csv +gs://kubernetes_public_billing/billing--2019-01-18.csv +gs://kubernetes_public_billing/billing--2019-01-19.csv +gs://kubernetes_public_billing/billing--2019-01-20.csv +gs://kubernetes_public_billing/billing--2019-01-21.csv +gs://kubernetes_public_billing/billing--2019-01-22.csv +gs://kubernetes_public_billing/billing--2019-01-23.csv +gs://kubernetes_public_billing/billing--2019-01-24.csv +gs://kubernetes_public_billing/billing--2019-01-25.csv +gs://kubernetes_public_billing/billing--2019-01-26.csv +gs://kubernetes_public_billing/billing--2019-01-27.csv +gs://kubernetes_public_billing/billing--2019-01-28.csv +gs://kubernetes_public_billing/billing--2019-01-29.csv +gs://kubernetes_public_billing/billing--2019-01-30.csv +gs://kubernetes_public_billing/billing--2019-01-31.csv +gs://kubernetes_public_billing/billing--2019-02-01.csv +gs://kubernetes_public_billing/billing--2019-02-02.csv +gs://kubernetes_public_billing/billing--2019-02-03.csv +gs://kubernetes_public_billing/billing--2019-02-04.csv +gs://kubernetes_public_billing/billing--2019-02-05.csv +gs://kubernetes_public_billing/billing--2019-02-06.csv +gs://kubernetes_public_billing/billing--2019-02-07.csv +gs://kubernetes_public_billing/billing--2019-02-08.csv +gs://kubernetes_public_billing/billing--2019-02-09.csv +gs://kubernetes_public_billing/billing--2019-02-10.csv +gs://kubernetes_public_billing/billing--2019-02-11.csv +gs://kubernetes_public_billing/billing--2019-02-12.csv +gs://kubernetes_public_billing/billing--2019-02-13.csv +gs://kubernetes_public_billing/billing--2019-02-14.csv +gs://kubernetes_public_billing/billing--2019-02-15.csv +gs://kubernetes_public_billing/billing--2019-02-16.csv +gs://kubernetes_public_billing/billing--2019-02-17.csv +gs://kubernetes_public_billing/billing--2019-02-18.csv +gs://kubernetes_public_billing/billing--2019-02-19.csv +gs://kubernetes_public_billing/billing--2019-02-20.csv +gs://kubernetes_public_billing/billing--2019-02-21.csv +gs://kubernetes_public_billing/billing--2019-02-22.csv +gs://kubernetes_public_billing/billing--2019-02-23.csv +gs://kubernetes_public_billing/billing--2019-02-24.csv +gs://kubernetes_public_billing/billing--2019-02-25.csv +gs://kubernetes_public_billing/billing--2019-02-26.csv +gs://kubernetes_public_billing/billing--2019-02-27.csv +gs://kubernetes_public_billing/billing--2019-02-28.csv +gs://kubernetes_public_billing/billing--2019-03-01.csv +gs://kubernetes_public_billing/billing--2019-03-02.csv +gs://kubernetes_public_billing/billing--2019-03-03.csv +gs://kubernetes_public_billing/billing--2019-03-04.csv +gs://kubernetes_public_billing/billing--2019-03-05.csv +gs://kubernetes_public_billing/billing--2019-03-06.csv +gs://kubernetes_public_billing/billing--2019-03-07.csv +gs://kubernetes_public_billing/billing--2019-03-08.csv +gs://kubernetes_public_billing/billing--2019-03-09.csv +gs://kubernetes_public_billing/billing--2019-03-10.csv +gs://kubernetes_public_billing/billing--2019-03-11.csv +gs://kubernetes_public_billing/billing--2019-03-12.csv +gs://kubernetes_public_billing/billing--2019-03-13.csv +gs://kubernetes_public_billing/billing--2019-03-14.csv +gs://kubernetes_public_billing/billing--2019-03-15.csv +gs://kubernetes_public_billing/billing--2019-03-16.csv +gs://kubernetes_public_billing/billing--2019-03-17.csv +gs://kubernetes_public_billing/billing--2019-03-18.csv +gs://kubernetes_public_billing/billing--2019-03-19.csv +gs://kubernetes_public_billing/billing--2019-03-20.csv +gs://kubernetes_public_billing/billing--2019-03-21.csv +gs://kubernetes_public_billing/billing--2019-03-22.csv +gs://kubernetes_public_billing/billing--2019-03-23.csv +gs://kubernetes_public_billing/billing--2019-03-24.csv +gs://kubernetes_public_billing/billing--2019-03-25.csv +gs://kubernetes_public_billing/billing--2019-03-26.csv +gs://kubernetes_public_billing/billing--2019-03-27.csv +gs://kubernetes_public_billing/billing--2019-03-28.csv +gs://kubernetes_public_billing/billing--2019-03-29.csv +gs://kubernetes_public_billing/billing--2019-03-30.csv +gs://kubernetes_public_billing/billing--2019-03-31.csv +gs://kubernetes_public_billing/billing--2019-04-01.csv +gs://kubernetes_public_billing/billing--2019-04-02.csv +gs://kubernetes_public_billing/billing--2019-04-03.csv +gs://kubernetes_public_billing/billing--2019-04-04.csv +gs://kubernetes_public_billing/billing--2019-04-05.csv +gs://kubernetes_public_billing/billing--2019-04-06.csv +gs://kubernetes_public_billing/billing--2019-04-07.csv +gs://kubernetes_public_billing/billing--2019-04-08.csv +gs://kubernetes_public_billing/billing--2019-04-09.csv +gs://kubernetes_public_billing/billing--2019-04-10.csv +gs://kubernetes_public_billing/billing--2019-04-11.csv +gs://kubernetes_public_billing/billing--2019-04-12.csv +gs://kubernetes_public_billing/billing--2019-04-13.csv +gs://kubernetes_public_billing/billing--2019-04-14.csv +gs://kubernetes_public_billing/billing--2019-04-15.csv +gs://kubernetes_public_billing/billing--2019-04-16.csv +gs://kubernetes_public_billing/billing--2019-04-17.csv +gs://kubernetes_public_billing/billing--2019-04-18.csv +gs://kubernetes_public_billing/billing--2019-04-19.csv +gs://kubernetes_public_billing/billing--2019-04-20.csv +gs://kubernetes_public_billing/billing--2019-04-21.csv +gs://kubernetes_public_billing/billing--2019-04-22.csv +gs://kubernetes_public_billing/billing--2019-04-23.csv +gs://kubernetes_public_billing/billing--2019-04-24.csv +gs://kubernetes_public_billing/billing--2019-04-25.csv +gs://kubernetes_public_billing/billing--2019-04-26.csv +gs://kubernetes_public_billing/billing--2019-04-27.csv +gs://kubernetes_public_billing/billing--2019-04-28.csv +gs://kubernetes_public_billing/billing--2019-04-29.csv +gs://kubernetes_public_billing/billing--2019-04-30.csv +gs://kubernetes_public_billing/billing--2019-05-01.csv +gs://kubernetes_public_billing/billing--2019-05-02.csv +gs://kubernetes_public_billing/billing--2019-05-03.csv +gs://kubernetes_public_billing/billing--2019-05-04.csv +gs://kubernetes_public_billing/billing--2019-05-05.csv +gs://kubernetes_public_billing/billing--2019-05-06.csv +gs://kubernetes_public_billing/billing--2019-05-07.csv +gs://kubernetes_public_billing/billing--2019-05-08.csv +gs://kubernetes_public_billing/billing--2019-05-09.csv +gs://kubernetes_public_billing/billing--2019-05-10.csv +gs://kubernetes_public_billing/billing--2019-05-11.csv +gs://kubernetes_public_billing/billing--2019-05-12.csv +gs://kubernetes_public_billing/billing--2019-05-13.csv +gs://kubernetes_public_billing/billing--2019-05-14.csv +gs://kubernetes_public_billing/billing--2019-05-15.csv +gs://kubernetes_public_billing/billing--2019-05-16.csv +gs://kubernetes_public_billing/billing--2019-05-17.csv +gs://kubernetes_public_billing/billing--2019-05-18.csv +gs://kubernetes_public_billing/billing--2019-05-19.csv +gs://kubernetes_public_billing/billing--2019-05-20.csv +gs://kubernetes_public_billing/billing--2019-05-21.csv +gs://kubernetes_public_billing/billing--2019-05-22.csv +gs://kubernetes_public_billing/billing--2019-05-23.csv +gs://kubernetes_public_billing/billing--2019-05-24.csv +gs://kubernetes_public_billing/billing--2019-05-25.csv +gs://kubernetes_public_billing/billing--2019-05-26.csv +gs://kubernetes_public_billing/billing--2019-05-27.csv +gs://kubernetes_public_billing/billing--2019-05-28.csv +gs://kubernetes_public_billing/billing--2019-05-29.csv +gs://kubernetes_public_billing/billing--2019-05-30.csv +gs://kubernetes_public_billing/billing--2019-05-31.csv +gs://kubernetes_public_billing/billing--2019-06-01.csv +gs://kubernetes_public_billing/billing--2019-06-02.csv +gs://kubernetes_public_billing/billing--2019-06-03.csv +gs://kubernetes_public_billing/billing--2019-06-04.csv +gs://kubernetes_public_billing/billing--2019-06-05.csv +gs://kubernetes_public_billing/billing--2019-06-06.csv +gs://kubernetes_public_billing/billing--2019-06-07.csv +gs://kubernetes_public_billing/billing--2019-06-08.csv +gs://kubernetes_public_billing/billing--2019-06-09.csv +gs://kubernetes_public_billing/billing--2019-06-10.csv +gs://kubernetes_public_billing/billing--2019-06-11.csv +gs://kubernetes_public_billing/billing--2019-06-12.csv +gs://kubernetes_public_billing/billing--2019-06-13.csv +gs://kubernetes_public_billing/billing--2019-06-14.csv diff --git a/audit/kubernetes-public.policy.json b/audit/kubernetes-public/policy.json similarity index 100% rename from audit/kubernetes-public.policy.json rename to audit/kubernetes-public/policy.json diff --git a/audit/kubernetes-public.roles.json b/audit/kubernetes-public/roles.json similarity index 100% rename from audit/kubernetes-public.roles.json rename to audit/kubernetes-public/roles.json diff --git a/audit/kubernetes-public/roles/ServiceAccountLister.json b/audit/kubernetes-public/roles/ServiceAccountLister.json new file mode 100644 index 00000000000..291db59f931 --- /dev/null +++ b/audit/kubernetes-public/roles/ServiceAccountLister.json @@ -0,0 +1,10 @@ +{ + "description": "Can list ServiceAccounts.", + "etag": "BwV_JE8PWv4=", + "includedPermissions": [ + "iam.serviceAccounts.list" + ], + "name": "projects/kubernetes-public/roles/ServiceAccountLister", + "stage": "GA", + "title": "Service Account Lister" +} diff --git a/audit/kubernetes-public.clusters.json b/audit/kubernetes-public/services/clusters.json similarity index 100% rename from audit/kubernetes-public.clusters.json rename to audit/kubernetes-public/services/clusters.json diff --git a/audit/kubernetes-public/services/dns.info.json b/audit/kubernetes-public/services/dns.info.json new file mode 100644 index 00000000000..b1ae8ea5db3 --- /dev/null +++ b/audit/kubernetes-public/services/dns.info.json @@ -0,0 +1,49 @@ +{ + "id": "kubernetes-public", + "kind": "dns#project", + "number": "127754664067", + "quota": { + "dnsKeysPerManagedZone": 4, + "kind": "dns#quota", + "managedZones": 10000, + "managedZonesPerNetwork": 10000, + "networksPerManagedZone": 100, + "resourceRecordsPerRrset": 100, + "rrsetAdditionsPerChange": 1000, + "rrsetDeletionsPerChange": 1000, + "rrsetsPerManagedZone": 10000, + "totalRrdataSizePerChange": 100000, + "whitelistedKeySpecs": [ + { + "algorithm": "ecdsap256sha256", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "ecdsap384sha384", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 2048, + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha512", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ] + } +} diff --git a/audit/kubernetes-public/services/dns.zones.json b/audit/kubernetes-public/services/dns.zones.json new file mode 100644 index 00000000000..8d288ff4359 --- /dev/null +++ b/audit/kubernetes-public/services/dns.zones.json @@ -0,0 +1,96 @@ +[ + { + "creationTime": "2018-10-09T16:18:27.446Z", + "description": "", + "dnsName": "canary.k8s.io.", + "id": "7690509341659612964", + "kind": "dns#managedZone", + "name": "canary-k8s-io", + "nameServers": [ + "ns-cloud-c1.googledomains.com.", + "ns-cloud-c2.googledomains.com.", + "ns-cloud-c3.googledomains.com.", + "ns-cloud-c4.googledomains.com." + ] + }, + { + "creationTime": "2018-10-09T16:19:40.004Z", + "description": "", + "dnsName": "canary.kubernetes.io.", + "id": "4193576254815248920", + "kind": "dns#managedZone", + "name": "canary-kubernetes-io", + "nameServers": [ + "ns-cloud-b1.googledomains.com.", + "ns-cloud-b2.googledomains.com.", + "ns-cloud-b3.googledomains.com.", + "ns-cloud-b4.googledomains.com." + ] + }, + { + "creationTime": "2018-09-07T15:08:37.689Z", + "description": "", + "dnsName": "k8s.io.", + "dnssecConfig": { + "defaultKeySpecs": [ + { + "algorithm": "rsasha256", + "keyLength": 2048, + "keyType": "keySigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ], + "kind": "dns#managedZoneDnsSecConfig", + "nonExistence": "nsec3", + "state": "off" + }, + "id": "8257163024921094127", + "kind": "dns#managedZone", + "name": "k8s-io", + "nameServers": [ + "ns-cloud-d1.googledomains.com.", + "ns-cloud-d2.googledomains.com.", + "ns-cloud-d3.googledomains.com.", + "ns-cloud-d4.googledomains.com." + ] + }, + { + "creationTime": "2018-09-06T16:58:36.444Z", + "description": "", + "dnsName": "kubernetes.io.", + "dnssecConfig": { + "defaultKeySpecs": [ + { + "algorithm": "rsasha256", + "keyLength": 2048, + "keyType": "keySigning", + "kind": "dns#dnsKeySpec" + }, + { + "algorithm": "rsasha256", + "keyLength": 1024, + "keyType": "zoneSigning", + "kind": "dns#dnsKeySpec" + } + ], + "kind": "dns#managedZoneDnsSecConfig", + "nonExistence": "nsec3", + "state": "off" + }, + "id": "8283179273191389843", + "kind": "dns#managedZone", + "name": "kubernetes-io", + "nameServers": [ + "ns-cloud-a1.googledomains.com.", + "ns-cloud-a2.googledomains.com.", + "ns-cloud-a3.googledomains.com.", + "ns-cloud-a4.googledomains.com." + ] + } +] diff --git a/audit/kubernetes-public.services.json b/audit/kubernetes-public/services/enabled.json similarity index 100% rename from audit/kubernetes-public.services.json rename to audit/kubernetes-public/services/enabled.json From 122e4e5fd4a19bc83b16aa3ead2bae41b8781d33 Mon Sep 17 00:00:00 2001 From: Hippie Hacker Date: Thu, 11 Jul 2019 05:31:37 +1200 Subject: [PATCH 7/7] Updating for 11th of July --- audit/cncf-org.policy.json | 40 ++- audit/cncf-org.roles.json | 9 - ...s-artifacts-graveyard.appspot.com.iam.json | 33 ++ ...ts.k8s-artifacts-graveyard.appspot.com.txt | 0 ...s-artifacts-graveyard.appspot.com.iam.json | 33 ++ ...ts.k8s-artifacts-graveyard.appspot.com.txt | 0 ...s-artifacts-graveyard.appspot.com.iam.json | 33 ++ ...ts.k8s-artifacts-graveyard.appspot.com.txt | 0 audit/k8s-artifacts-graveyard/policy.json | 44 +++ audit/k8s-artifacts-graveyard/roles.json | 1 + .../services/clusters.json | 1 + .../services/enabled.json | 328 ++++++++++++++++++ ...ts.k8s-artifacts-prod.appspot.com.iam.json | 33 ++ ...tifacts.k8s-artifacts-prod.appspot.com.txt | 0 ...ts.k8s-artifacts-prod.appspot.com.iam.json | 33 ++ ...tifacts.k8s-artifacts-prod.appspot.com.txt | 0 .../buckets/k8s-artifacts-prod.iam.json | 31 ++ .../buckets/k8s-artifacts-prod.txt | 114 ++++++ ...ts.k8s-artifacts-prod.appspot.com.iam.json | 33 ++ ...tifacts.k8s-artifacts-prod.appspot.com.txt | 0 audit/k8s-artifacts-prod/policy.json | 45 +++ audit/k8s-artifacts-prod/roles.json | 1 + .../k8s-artifacts-prod/services/clusters.json | 1 + .../k8s-artifacts-prod/services/enabled.json | 328 ++++++++++++++++++ ...cts.k8s-cip-test-prod.appspot.com.iam.json | 35 ++ ...rtifacts.k8s-cip-test-prod.appspot.com.txt | 0 ...cts.k8s-cip-test-prod.appspot.com.iam.json | 35 ++ ...rtifacts.k8s-cip-test-prod.appspot.com.txt | 0 ...cts.k8s-cip-test-prod.appspot.com.iam.json | 35 ++ ...rtifacts.k8s-cip-test-prod.appspot.com.txt | 0 audit/k8s-cip-test-prod/policy.json | 44 +++ audit/k8s-cip-test-prod/roles.json | 1 + .../k8s-cip-test-prod/services/clusters.json | 1 + audit/k8s-cip-test-prod/services/enabled.json | 328 ++++++++++++++++++ audit/k8s-gsuite/policy.json | 13 + audit/k8s-gsuite/roles.json | 1 + audit/k8s-gsuite/services/enabled.json | 40 +++ .../k8s-infra-dev-cluster-turnup/policy.json | 39 +-- .../services/enabled.json | 37 +- ...k8s-release-test-prod.appspot.com.iam.json | 35 ++ ...acts.k8s-release-test-prod.appspot.com.txt | 0 ...k8s-release-test-prod.appspot.com.iam.json | 35 ++ ...acts.k8s-release-test-prod.appspot.com.txt | 0 ...k8s-release-test-prod.appspot.com.iam.json | 35 ++ ...acts.k8s-release-test-prod.appspot.com.txt | 2 + audit/k8s-release-test-prod/policy.json | 39 +++ audit/k8s-release-test-prod/roles.json | 1 + .../services/clusters.json | 1 + .../services/enabled.json | 112 ++++++ .../k8s-sig-release-prototype.iam.json | 43 +++ .../buckets/k8s-sig-release-prototype.txt | 1 + audit/k8s-sig-release-prototype/policy.json | 25 ++ audit/k8s-sig-release-prototype/roles.json | 1 + .../services/clusters.json | 1 + .../services/enabled.json | 255 ++++++++++++++ ...s-staging-build-image.appspot.com.iam.json | 33 ++ ...ts.k8s-staging-build-image.appspot.com.txt | 18 + .../buckets/k8s-staging-build-image.iam.json | 33 ++ .../buckets/k8s-staging-build-image.txt | 0 audit/k8s-staging-build-image/policy.json | 24 ++ audit/k8s-staging-build-image/roles.json | 1 + .../services/enabled.json | 75 ++++ ....k8s-staging-cip-test.appspot.com.iam.json | 33 ++ ...facts.k8s-staging-cip-test.appspot.com.txt | 8 + .../buckets/k8s-staging-cip-test.iam.json | 33 ++ .../buckets/k8s-staging-cip-test.txt | 0 audit/k8s-staging-cip-test/policy.json | 32 ++ audit/k8s-staging-cip-test/roles.json | 1 + .../services/clusters.json | 1 + .../services/enabled.json | 292 ++++++++++++++++ ...aging-cluster-api-aws.appspot.com.iam.json | 33 ++ ...8s-staging-cluster-api-aws.appspot.com.txt | 7 + .../k8s-staging-cluster-api-aws.iam.json | 33 ++ .../buckets/k8s-staging-cluster-api-aws.txt | 0 audit/k8s-staging-cluster-api-aws/policy.json | 24 ++ audit/k8s-staging-cluster-api-aws/roles.json | 1 + .../services/enabled.json | 75 ++++ ...s-staging-cluster-api.appspot.com.iam.json | 33 ++ ...ts.k8s-staging-cluster-api.appspot.com.txt | 9 + .../buckets/k8s-staging-cluster-api.iam.json | 33 ++ .../buckets/k8s-staging-cluster-api.txt | 0 audit/k8s-staging-cluster-api/policy.json | 32 ++ audit/k8s-staging-cluster-api/roles.json | 1 + .../services/clusters.json | 1 + .../services/enabled.json | 292 ++++++++++++++++ ...s.k8s-staging-coredns.appspot.com.iam.json | 33 ++ ...ifacts.k8s-staging-coredns.appspot.com.txt | 0 .../buckets/k8s-staging-coredns.iam.json | 33 ++ .../buckets/k8s-staging-coredns.txt | 0 audit/k8s-staging-coredns/policy.json | 44 +++ audit/k8s-staging-coredns/roles.json | 1 + .../services/clusters.json | 1 + .../k8s-staging-coredns/services/enabled.json | 328 ++++++++++++++++++ ...facts.k8s-staging-csi.appspot.com.iam.json | 33 ++ .../artifacts.k8s-staging-csi.appspot.com.txt | 4 + .../buckets/k8s-staging-csi.iam.json | 33 ++ .../buckets/k8s-staging-csi.txt | 0 audit/k8s-staging-csi/policy.json | 32 ++ audit/k8s-staging-csi/roles.json | 1 + audit/k8s-staging-csi/services/clusters.json | 1 + audit/k8s-staging-csi/services/enabled.json | 292 ++++++++++++++++ ...acts.k8s-staging-kops.appspot.com.iam.json | 33 ++ ...artifacts.k8s-staging-kops.appspot.com.txt | 0 .../buckets/k8s-staging-kops.iam.json | 33 ++ .../buckets/k8s-staging-kops.txt | 0 audit/k8s-staging-kops/policy.json | 24 ++ audit/k8s-staging-kops/roles.json | 1 + audit/k8s-staging-kops/services/enabled.json | 255 ++++++++++++++ ...taging-publishing-bot.appspot.com.iam.json | 33 ++ ...k8s-staging-publishing-bot.appspot.com.txt | 0 .../k8s-staging-publishing-bot.iam.json | 33 ++ .../buckets/k8s-staging-publishing-bot.txt | 0 audit/k8s-staging-publishing-bot/policy.json | 24 ++ audit/k8s-staging-publishing-bot/roles.json | 1 + .../services/enabled.json | 75 ++++ ...-staging-release-test.appspot.com.iam.json | 33 ++ ...s.k8s-staging-release-test.appspot.com.txt | 0 .../buckets/k8s-staging-release-test.iam.json | 33 ++ .../buckets/k8s-staging-release-test.txt | 0 audit/k8s-staging-release-test/policy.json | 24 ++ audit/k8s-staging-release-test/roles.json | 1 + .../services/enabled.json | 75 ++++ .../buckets/kubernetes_public_billing.txt | 25 ++ audit/kubernetes-public/policy.json | 5 +- .../kubernetes-public/services/clusters.json | 4 +- audit/kubernetes-public/services/enabled.json | 92 +++++ audit/log.mkd | 264 ++++++++++++++ 127 files changed, 5345 insertions(+), 53 deletions(-) create mode 100644 audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.txt create mode 100644 audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.txt create mode 100644 audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.txt create mode 100644 audit/k8s-artifacts-graveyard/policy.json create mode 100644 audit/k8s-artifacts-graveyard/roles.json create mode 100644 audit/k8s-artifacts-graveyard/services/clusters.json create mode 100644 audit/k8s-artifacts-graveyard/services/enabled.json create mode 100644 audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.txt create mode 100644 audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.txt create mode 100644 audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.iam.json create mode 100644 audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.txt create mode 100644 audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.iam.json create mode 100644 audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.txt create mode 100644 audit/k8s-artifacts-prod/policy.json create mode 100644 audit/k8s-artifacts-prod/roles.json create mode 100644 audit/k8s-artifacts-prod/services/clusters.json create mode 100644 audit/k8s-artifacts-prod/services/enabled.json create mode 100644 audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.txt create mode 100644 audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.txt create mode 100644 audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.txt create mode 100644 audit/k8s-cip-test-prod/policy.json create mode 100644 audit/k8s-cip-test-prod/roles.json create mode 100644 audit/k8s-cip-test-prod/services/clusters.json create mode 100644 audit/k8s-cip-test-prod/services/enabled.json create mode 100644 audit/k8s-gsuite/policy.json create mode 100644 audit/k8s-gsuite/roles.json create mode 100644 audit/k8s-gsuite/services/enabled.json create mode 100644 audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.txt create mode 100644 audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.txt create mode 100644 audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.iam.json create mode 100644 audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.txt create mode 100644 audit/k8s-release-test-prod/policy.json create mode 100644 audit/k8s-release-test-prod/roles.json create mode 100644 audit/k8s-release-test-prod/services/clusters.json create mode 100644 audit/k8s-release-test-prod/services/enabled.json create mode 100644 audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.iam.json create mode 100644 audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.txt create mode 100644 audit/k8s-sig-release-prototype/policy.json create mode 100644 audit/k8s-sig-release-prototype/roles.json create mode 100644 audit/k8s-sig-release-prototype/services/clusters.json create mode 100644 audit/k8s-sig-release-prototype/services/enabled.json create mode 100644 audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.iam.json create mode 100644 audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.txt create mode 100644 audit/k8s-staging-build-image/buckets/k8s-staging-build-image.iam.json create mode 100644 audit/k8s-staging-build-image/buckets/k8s-staging-build-image.txt create mode 100644 audit/k8s-staging-build-image/policy.json create mode 100644 audit/k8s-staging-build-image/roles.json create mode 100644 audit/k8s-staging-build-image/services/enabled.json create mode 100644 audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.iam.json create mode 100644 audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.txt create mode 100644 audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.iam.json create mode 100644 audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.txt create mode 100644 audit/k8s-staging-cip-test/policy.json create mode 100644 audit/k8s-staging-cip-test/roles.json create mode 100644 audit/k8s-staging-cip-test/services/clusters.json create mode 100644 audit/k8s-staging-cip-test/services/enabled.json create mode 100644 audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.iam.json create mode 100644 audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.txt create mode 100644 audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.iam.json create mode 100644 audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.txt create mode 100644 audit/k8s-staging-cluster-api-aws/policy.json create mode 100644 audit/k8s-staging-cluster-api-aws/roles.json create mode 100644 audit/k8s-staging-cluster-api-aws/services/enabled.json create mode 100644 audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.iam.json create mode 100644 audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.txt create mode 100644 audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.iam.json create mode 100644 audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.txt create mode 100644 audit/k8s-staging-cluster-api/policy.json create mode 100644 audit/k8s-staging-cluster-api/roles.json create mode 100644 audit/k8s-staging-cluster-api/services/clusters.json create mode 100644 audit/k8s-staging-cluster-api/services/enabled.json create mode 100644 audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.iam.json create mode 100644 audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.txt create mode 100644 audit/k8s-staging-coredns/buckets/k8s-staging-coredns.iam.json create mode 100644 audit/k8s-staging-coredns/buckets/k8s-staging-coredns.txt create mode 100644 audit/k8s-staging-coredns/policy.json create mode 100644 audit/k8s-staging-coredns/roles.json create mode 100644 audit/k8s-staging-coredns/services/clusters.json create mode 100644 audit/k8s-staging-coredns/services/enabled.json create mode 100644 audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.iam.json create mode 100644 audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.txt create mode 100644 audit/k8s-staging-csi/buckets/k8s-staging-csi.iam.json create mode 100644 audit/k8s-staging-csi/buckets/k8s-staging-csi.txt create mode 100644 audit/k8s-staging-csi/policy.json create mode 100644 audit/k8s-staging-csi/roles.json create mode 100644 audit/k8s-staging-csi/services/clusters.json create mode 100644 audit/k8s-staging-csi/services/enabled.json create mode 100644 audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.iam.json create mode 100644 audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.txt create mode 100644 audit/k8s-staging-kops/buckets/k8s-staging-kops.iam.json create mode 100644 audit/k8s-staging-kops/buckets/k8s-staging-kops.txt create mode 100644 audit/k8s-staging-kops/policy.json create mode 100644 audit/k8s-staging-kops/roles.json create mode 100644 audit/k8s-staging-kops/services/enabled.json create mode 100644 audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.iam.json create mode 100644 audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.txt create mode 100644 audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.iam.json create mode 100644 audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.txt create mode 100644 audit/k8s-staging-publishing-bot/policy.json create mode 100644 audit/k8s-staging-publishing-bot/roles.json create mode 100644 audit/k8s-staging-publishing-bot/services/enabled.json create mode 100644 audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.iam.json create mode 100644 audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.txt create mode 100644 audit/k8s-staging-release-test/buckets/k8s-staging-release-test.iam.json create mode 100644 audit/k8s-staging-release-test/buckets/k8s-staging-release-test.txt create mode 100644 audit/k8s-staging-release-test/policy.json create mode 100644 audit/k8s-staging-release-test/roles.json create mode 100644 audit/k8s-staging-release-test/services/enabled.json create mode 100644 audit/log.mkd diff --git a/audit/cncf-org.policy.json b/audit/cncf-org.policy.json index aa830f889c5..ffa8f2171bf 100644 --- a/audit/cncf-org.policy.json +++ b/audit/cncf-org.policy.json @@ -6,6 +6,12 @@ ], "role": "organizations/758905017065/roles/CustomRole" }, + { + "members": [ + "group:k8s-infra-gcp-auditors@kubernetes.io" + ], + "role": "organizations/758905017065/roles/StorageBucketLister" + }, { "members": [ "user:ihor@cncf.io", @@ -22,6 +28,18 @@ ], "role": "roles/billing.creator" }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/billing.user" + }, + { + "members": [ + "group:k8s-infra-gcp-auditors@kubernetes.io" + ], + "role": "roles/compute.viewer" + }, { "members": [ "user:thockin@google.com" @@ -34,6 +52,13 @@ ], "role": "roles/iam.securityReviewer" }, + { + "members": [ + "user:davanum@gmail.com", + "user:thockin@google.com" + ], + "role": "roles/owner" + }, { "members": [ "user:domain-admin-lf@kubernetes.io", @@ -43,9 +68,16 @@ ], "role": "roles/resourcemanager.organizationAdmin" }, + { + "members": [ + "group:k8s-infra-gcp-auditors@kubernetes.io" + ], + "role": "roles/resourcemanager.organizationViewer" + }, { "members": [ "domain:kubernetes.io", + "user:davanum@gmail.com", "user:thockin@google.com" ], "role": "roles/resourcemanager.projectCreator" @@ -55,8 +87,14 @@ "user:thockin@google.com" ], "role": "roles/resourcemanager.projectDeleter" + }, + { + "members": [ + "group:k8s-infra-gcp-auditors@kubernetes.io" + ], + "role": "roles/serviceusage.serviceUsageConsumer" } ], - "etag": "BwWLI_mG-qA=", + "etag": "BwWNMJpajmE=", "version": 1 } diff --git a/audit/cncf-org.roles.json b/audit/cncf-org.roles.json index d9b947c5317..e69de29bb2d 100644 --- a/audit/cncf-org.roles.json +++ b/audit/cncf-org.roles.json @@ -1,9 +0,0 @@ -[ - { - "description": "Can view billing info", - "etag": "BwWLI_e8Xyo=", - "name": "organizations/758905017065/roles/CustomRole", - "stage": "GA", - "title": "Billing Viewer" - } -] diff --git a/audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json b/audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json new file mode 100644 index 00000000000..1b29864df1f --- /dev/null +++ b/audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-graveyard", + "projectOwner:k8s-artifacts-graveyard", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-graveyard" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CA8=" +} diff --git a/audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.txt b/audit/k8s-artifacts-graveyard/buckets/asia.artifacts.k8s-artifacts-graveyard.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json b/audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json new file mode 100644 index 00000000000..1b29864df1f --- /dev/null +++ b/audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-graveyard", + "projectOwner:k8s-artifacts-graveyard", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-graveyard" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CA8=" +} diff --git a/audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.txt b/audit/k8s-artifacts-graveyard/buckets/eu.artifacts.k8s-artifacts-graveyard.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json b/audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json new file mode 100644 index 00000000000..1b29864df1f --- /dev/null +++ b/audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-graveyard", + "projectOwner:k8s-artifacts-graveyard", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-graveyard" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-graveyard.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CA8=" +} diff --git a/audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.txt b/audit/k8s-artifacts-graveyard/buckets/us.artifacts.k8s-artifacts-graveyard.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-graveyard/policy.json b/audit/k8s-artifacts-graveyard/policy.json new file mode 100644 index 00000000000..c22b1c8d8e3 --- /dev/null +++ b/audit/k8s-artifacts-graveyard/policy.json @@ -0,0 +1,44 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-969606857874@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-969606857874@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-969606857874@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "serviceAccount:969606857874-compute@developer.gserviceaccount.com", + "serviceAccount:969606857874@cloudservices.gserviceaccount.com", + "serviceAccount:service-969606857874@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNSetARfs=", + "version": 1 +} diff --git a/audit/k8s-artifacts-graveyard/roles.json b/audit/k8s-artifacts-graveyard/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-artifacts-graveyard/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-artifacts-graveyard/services/clusters.json b/audit/k8s-artifacts-graveyard/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-artifacts-graveyard/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-artifacts-graveyard/services/enabled.json b/audit/k8s-artifacts-graveyard/services/enabled.json new file mode 100644 index 00000000000..f8c9e67e816 --- /dev/null +++ b/audit/k8s-artifacts-graveyard/services/enabled.json @@ -0,0 +1,328 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/969606857874/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "An implementation of the Grafeas API, which stores, and enables querying and retrieval of critical metadata about all of your software artifacts." + }, + "name": "containeranalysis.googleapis.com", + "quota": {}, + "title": "Container Analysis API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/containeranalysis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/969606857874/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A service to scan containers for vulnerabilities." + }, + "name": "containerscanning.googleapis.com", + "quota": {}, + "title": "Container Scanning API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/containerscanning.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/969606857874/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.iam.json b/audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.iam.json new file mode 100644 index 00000000000..eeef4238d94 --- /dev/null +++ b/audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-prod", + "projectOwner:k8s-artifacts-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBA=" +} diff --git a/audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.txt b/audit/k8s-artifacts-prod/buckets/asia.artifacts.k8s-artifacts-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.iam.json b/audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.iam.json new file mode 100644 index 00000000000..eeef4238d94 --- /dev/null +++ b/audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-prod", + "projectOwner:k8s-artifacts-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBA=" +} diff --git a/audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.txt b/audit/k8s-artifacts-prod/buckets/eu.artifacts.k8s-artifacts-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.iam.json b/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.iam.json new file mode 100644 index 00000000000..094051388c5 --- /dev/null +++ b/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.iam.json @@ -0,0 +1,31 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-prod", + "projectOwner:k8s-artifacts-prod" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CA8=" +} diff --git a/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.txt b/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.txt new file mode 100644 index 00000000000..3143d3c1487 --- /dev/null +++ b/audit/k8s-artifacts-prod/buckets/k8s-artifacts-prod.txt @@ -0,0 +1,114 @@ +gs://k8s-artifacts-prod/index.html +gs://k8s-artifacts-prod/binaries/: + +gs://k8s-artifacts-prod/binaries/kops/: + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/: + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/darwin/: + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/darwin/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.10.1/darwin/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.10.1/darwin/amd64/kops.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/images/: +gs://k8s-artifacts-prod/binaries/kops/1.10.1/images/protokube.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.10.1/images/protokube.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/: + +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/kops.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/nodeup +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/nodeup.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/utils.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.10.1/linux/amd64/utils.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/darwin/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/darwin/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/darwin/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/darwin/amd64/kops.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/images/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/images/protokube.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/images/protokube.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/kops.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/nodeup +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/nodeup.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/utils.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0-alpha.1/linux/amd64/utils.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/darwin/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/darwin/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/darwin/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/darwin/amd64/kops.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/images/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/images/protokube.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/images/protokube.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/kops.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/nodeup +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/nodeup.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/utils.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0-beta.1/linux/amd64/utils.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/darwin/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/darwin/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0/darwin/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0/darwin/amd64/kops.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/images/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0/images/protokube.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0/images/protokube.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/kops.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/nodeup +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/nodeup.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/utils.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.0/linux/amd64/utils.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/darwin/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/darwin/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.1/darwin/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.1/darwin/amd64/kops.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/images/: +gs://k8s-artifacts-prod/binaries/kops/1.11.1/images/protokube.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.1/images/protokube.tar.gz.sha1 + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/: + +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/: +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/kops +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/kops.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/nodeup +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/nodeup.sha1 +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/utils.tar.gz +gs://k8s-artifacts-prod/binaries/kops/1.11.1/linux/amd64/utils.tar.gz.sha1 diff --git a/audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.iam.json b/audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.iam.json new file mode 100644 index 00000000000..eeef4238d94 --- /dev/null +++ b/audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-artifacts-prod", + "projectOwner:k8s-artifacts-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-artifacts-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBA=" +} diff --git a/audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.txt b/audit/k8s-artifacts-prod/buckets/us.artifacts.k8s-artifacts-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-artifacts-prod/policy.json b/audit/k8s-artifacts-prod/policy.json new file mode 100644 index 00000000000..ae78a710f03 --- /dev/null +++ b/audit/k8s-artifacts-prod/policy.json @@ -0,0 +1,45 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-388270116193@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-388270116193@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-388270116193@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "serviceAccount:388270116193-compute@developer.gserviceaccount.com", + "serviceAccount:388270116193@cloudservices.gserviceaccount.com", + "serviceAccount:service-388270116193@containerregistry.iam.gserviceaccount.com", + "user:justinsb@google.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNSfMbesI=", + "version": 1 +} diff --git a/audit/k8s-artifacts-prod/roles.json b/audit/k8s-artifacts-prod/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-artifacts-prod/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-artifacts-prod/services/clusters.json b/audit/k8s-artifacts-prod/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-artifacts-prod/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-artifacts-prod/services/enabled.json b/audit/k8s-artifacts-prod/services/enabled.json new file mode 100644 index 00000000000..4826b70c3e7 --- /dev/null +++ b/audit/k8s-artifacts-prod/services/enabled.json @@ -0,0 +1,328 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/388270116193/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "An implementation of the Grafeas API, which stores, and enables querying and retrieval of critical metadata about all of your software artifacts." + }, + "name": "containeranalysis.googleapis.com", + "quota": {}, + "title": "Container Analysis API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/containeranalysis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/388270116193/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A service to scan containers for vulnerabilities." + }, + "name": "containerscanning.googleapis.com", + "quota": {}, + "title": "Container Scanning API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/containerscanning.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/388270116193/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.iam.json b/audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..28ead50df42 --- /dev/null +++ b/audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-cip-test-prod", + "projectOwner:k8s-cip-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cip-test@kubernetes.io", + "projectViewer:k8s-cip-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cip-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBk=" +} diff --git a/audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.txt b/audit/k8s-cip-test-prod/buckets/asia.artifacts.k8s-cip-test-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.iam.json b/audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..28ead50df42 --- /dev/null +++ b/audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-cip-test-prod", + "projectOwner:k8s-cip-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cip-test@kubernetes.io", + "projectViewer:k8s-cip-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cip-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBk=" +} diff --git a/audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.txt b/audit/k8s-cip-test-prod/buckets/eu.artifacts.k8s-cip-test-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.iam.json b/audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..28ead50df42 --- /dev/null +++ b/audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-cip-test-prod", + "projectOwner:k8s-cip-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cip-test@kubernetes.io", + "projectViewer:k8s-cip-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cip-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBk=" +} diff --git a/audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.txt b/audit/k8s-cip-test-prod/buckets/us.artifacts.k8s-cip-test-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-cip-test-prod/policy.json b/audit/k8s-cip-test-prod/policy.json new file mode 100644 index 00000000000..c0c4ed72482 --- /dev/null +++ b/audit/k8s-cip-test-prod/policy.json @@ -0,0 +1,44 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-693665670941@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-693665670941@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-693665670941@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "serviceAccount:693665670941-compute@developer.gserviceaccount.com", + "serviceAccount:693665670941@cloudservices.gserviceaccount.com", + "serviceAccount:service-693665670941@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNSe4FXsc=", + "version": 1 +} diff --git a/audit/k8s-cip-test-prod/roles.json b/audit/k8s-cip-test-prod/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-cip-test-prod/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-cip-test-prod/services/clusters.json b/audit/k8s-cip-test-prod/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-cip-test-prod/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-cip-test-prod/services/enabled.json b/audit/k8s-cip-test-prod/services/enabled.json new file mode 100644 index 00000000000..e574dc53962 --- /dev/null +++ b/audit/k8s-cip-test-prod/services/enabled.json @@ -0,0 +1,328 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/693665670941/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "An implementation of the Grafeas API, which stores, and enables querying and retrieval of critical metadata about all of your software artifacts." + }, + "name": "containeranalysis.googleapis.com", + "quota": {}, + "title": "Container Analysis API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/containeranalysis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/693665670941/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A service to scan containers for vulnerabilities." + }, + "name": "containerscanning.googleapis.com", + "quota": {}, + "title": "Container Scanning API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/containerscanning.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/693665670941/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-gsuite/policy.json b/audit/k8s-gsuite/policy.json new file mode 100644 index 00000000000..eecacad4dee --- /dev/null +++ b/audit/k8s-gsuite/policy.json @@ -0,0 +1,13 @@ +{ + "bindings": [ + { + "members": [ + "user:thockin@google.com", + "user:wg-k8s-infra-api@kubernetes.io" + ], + "role": "roles/owner" + } + ], + "etag": "BwWIfLtm8Eg=", + "version": 1 +} diff --git a/audit/k8s-gsuite/roles.json b/audit/k8s-gsuite/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-gsuite/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-gsuite/services/enabled.json b/audit/k8s-gsuite/services/enabled.json new file mode 100644 index 00000000000..560867dee36 --- /dev/null +++ b/audit/k8s-gsuite/services/enabled.json @@ -0,0 +1,40 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Admin SDK lets administrators of enterprise domains to\n view and manage resources like user, groups etc. It also provides\n audit and usage reports of domain." + }, + "name": "admin.googleapis.com", + "quota": {}, + "title": "Admin SDK", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/universal", + "serviceusage.googleapis.com/tos/appsadmin" + ] + } + }, + "name": "projects/91610859379/services/admin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "The Groups Settings API allows domain administrators to view and manage\n access levels and advanced settings for a group." + }, + "name": "groupssettings.googleapis.com", + "quota": {}, + "title": "Groups Settings API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/universal", + "serviceusage.googleapis.com/tos/appsadmin" + ] + } + }, + "name": "projects/91610859379/services/groupssettings.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-infra-dev-cluster-turnup/policy.json b/audit/k8s-infra-dev-cluster-turnup/policy.json index 70ff7c9b018..485fd662758 100644 --- a/audit/k8s-infra-dev-cluster-turnup/policy.json +++ b/audit/k8s-infra-dev-cluster-turnup/policy.json @@ -2,37 +2,43 @@ "bindings": [ { "members": [ - "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + "group:k8s-infra-bigquery-admins@kubernetes.io" ], - "role": "roles/browser" + "role": "roles/bigquery.admin" }, { "members": [ - "serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com" + "serviceAccount:396460694993@cloudbuild.gserviceaccount.com" ], - "role": "roles/cloudscheduler.serviceAgent" + "role": "roles/cloudbuild.builds.builder" }, { "members": [ - "serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com" + "serviceAccount:service-396460694993@gcp-sa-cloudbuild.iam.gserviceaccount.com" ], - "role": "roles/compute.serviceAgent" + "role": "roles/cloudbuild.serviceAgent" }, { "members": [ - "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" + "serviceAccount:service-396460694993@gcp-sa-cloudscheduler.iam.gserviceaccount.com" + ], + "role": "roles/cloudscheduler.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-396460694993@compute-system.iam.gserviceaccount.com" ], - "role": "roles/container.clusterAdmin" + "role": "roles/compute.serviceAgent" }, { "members": [ + "serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com", "serviceAccount:service-396460694993@container-engine-robot.iam.gserviceaccount.com" ], "role": "roles/container.serviceAgent" }, { "members": [ - "serviceAccount:396460694993-compute@developer.gserviceaccount.com", "serviceAccount:396460694993@cloudservices.gserviceaccount.com", "serviceAccount:service-396460694993@containerregistry.iam.gserviceaccount.com", "user:justinsb@google.com" @@ -41,6 +47,7 @@ }, { "members": [ + "serviceAccount:396460694993-compute@developer.gserviceaccount.com", "user:ameukam@gmail.com", "user:cblecker@gmail.com", "user:davanum@gmail.com", @@ -48,20 +55,8 @@ "user:thockin@google.com" ], "role": "roles/owner" - }, - { - "members": [ - "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" - ], - "role": "roles/storage.admin" - }, - { - "members": [ - "serviceAccount:terraform@k8s-infra-dev-cluster-turnup.iam.gserviceaccount.com" - ], - "role": "roles/viewer" } ], - "etag": "BwWLYvXsn1M=", + "etag": "BwWMhhCozj4=", "version": 1 } diff --git a/audit/k8s-infra-dev-cluster-turnup/services/enabled.json b/audit/k8s-infra-dev-cluster-turnup/services/enabled.json index f67d288b959..53fae1b3d62 100644 --- a/audit/k8s-infra-dev-cluster-turnup/services/enabled.json +++ b/audit/k8s-infra-dev-cluster-turnup/services/enabled.json @@ -71,6 +71,25 @@ "name": "projects/396460694993/services/cloudapis.googleapis.com", "state": "ENABLED" }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and manages builds on Google Cloud Platform." + }, + "name": "cloudbuild.googleapis.com", + "quota": {}, + "title": "Cloud Build API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/396460694993/services/cloudbuild.googleapis.com", + "state": "ENABLED" + }, { "config": { "authentication": {}, @@ -219,24 +238,6 @@ "name": "projects/396460694993/services/datastore.googleapis.com", "state": "ENABLED" }, - { - "config": { - "authentication": {}, - "documentation": { - "summary": "The Google Cloud Deployment Manager V2 API provides services for configuring, deploying, and\nviewing Google Cloud services and APIs via templates which specify deployments of Cloud\nresources." - }, - "name": "deploymentmanager.googleapis.com", - "quota": {}, - "title": "Cloud Deployment Manager V2 API", - "usage": { - "requirements": [ - "serviceusage.googleapis.com/tos/cloud" - ] - } - }, - "name": "projects/396460694993/services/deploymentmanager.googleapis.com", - "state": "ENABLED" - }, { "config": { "authentication": {}, diff --git a/audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.iam.json b/audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..9bdb68c2bb9 --- /dev/null +++ b/audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-release-test-prod", + "projectOwner:k8s-release-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-release-test@kubernetes.io", + "projectViewer:k8s-release-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-release-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAo=" +} diff --git a/audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.txt b/audit/k8s-release-test-prod/buckets/asia.artifacts.k8s-release-test-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.iam.json b/audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..9bdb68c2bb9 --- /dev/null +++ b/audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-release-test-prod", + "projectOwner:k8s-release-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-release-test@kubernetes.io", + "projectViewer:k8s-release-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-release-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAo=" +} diff --git a/audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.txt b/audit/k8s-release-test-prod/buckets/eu.artifacts.k8s-release-test-prod.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.iam.json b/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.iam.json new file mode 100644 index 00000000000..9bdb68c2bb9 --- /dev/null +++ b/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.iam.json @@ -0,0 +1,35 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-release-test-prod", + "projectOwner:k8s-release-test-prod", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-release-test@kubernetes.io", + "projectViewer:k8s-release-test-prod" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-release-test@kubernetes.io", + "serviceAccount:k8s-infra-gcr-promoter@k8s-release-test-prod.iam.gserviceaccount.com" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAo=" +} diff --git a/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.txt b/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.txt new file mode 100644 index 00000000000..a5c5103ebcd --- /dev/null +++ b/audit/k8s-release-test-prod/buckets/us.artifacts.k8s-release-test-prod.appspot.com.txt @@ -0,0 +1,2 @@ +gs://us.artifacts.k8s-release-test-prod.appspot.com/playground/: +gs://us.artifacts.k8s-release-test-prod.appspot.com/playground/test diff --git a/audit/k8s-release-test-prod/policy.json b/audit/k8s-release-test-prod/policy.json new file mode 100644 index 00000000000..d627b6817f9 --- /dev/null +++ b/audit/k8s-release-test-prod/policy.json @@ -0,0 +1,39 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-925892675446@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-925892675446@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:925892675446-compute@developer.gserviceaccount.com", + "serviceAccount:925892675446@cloudservices.gserviceaccount.com", + "serviceAccount:service-925892675446@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "user:Stephen@agst.us" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVodlPqs=", + "version": 1 +} diff --git a/audit/k8s-release-test-prod/roles.json b/audit/k8s-release-test-prod/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-release-test-prod/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-release-test-prod/services/clusters.json b/audit/k8s-release-test-prod/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-release-test-prod/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-release-test-prod/services/enabled.json b/audit/k8s-release-test-prod/services/enabled.json new file mode 100644 index 00000000000..47199a2a122 --- /dev/null +++ b/audit/k8s-release-test-prod/services/enabled.json @@ -0,0 +1,112 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/925892675446/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "An implementation of the Grafeas API, which stores, and enables querying and retrieval of critical metadata about all of your software artifacts." + }, + "name": "containeranalysis.googleapis.com", + "quota": {}, + "title": "Container Analysis API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/925892675446/services/containeranalysis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/925892675446/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/925892675446/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/925892675446/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/925892675446/services/storage-api.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.iam.json b/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.iam.json new file mode 100644 index 00000000000..585a6c4b126 --- /dev/null +++ b/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.iam.json @@ -0,0 +1,43 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-sig-release-prototype@googlegroups.com" + ], + "role": "roles/storage.admin" + }, + { + "members": [ + "projectEditor:k8s-sig-release-prototype", + "projectOwner:k8s-sig-release-prototype" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "projectViewer:k8s-sig-release-prototype" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "projectEditor:k8s-sig-release-prototype", + "projectOwner:k8s-sig-release-prototype" + ], + "role": "roles/storage.legacyObjectOwner" + }, + { + "members": [ + "projectViewer:k8s-sig-release-prototype" + ], + "role": "roles/storage.legacyObjectReader" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAM=" +} diff --git a/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.txt b/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.txt new file mode 100644 index 00000000000..3eeeecc8e9c --- /dev/null +++ b/audit/k8s-sig-release-prototype/buckets/k8s-sig-release-prototype.txt @@ -0,0 +1 @@ +gs://k8s-sig-release-prototype/HELO_world.txt diff --git a/audit/k8s-sig-release-prototype/policy.json b/audit/k8s-sig-release-prototype/policy.json new file mode 100644 index 00000000000..1ce139da97d --- /dev/null +++ b/audit/k8s-sig-release-prototype/policy.json @@ -0,0 +1,25 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-248671828424@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:248671828424-compute@developer.gserviceaccount.com", + "serviceAccount:248671828424@cloudservices.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + } + ], + "etag": "BwWHdcL3Us4=", + "version": 1 +} diff --git a/audit/k8s-sig-release-prototype/roles.json b/audit/k8s-sig-release-prototype/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-sig-release-prototype/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-sig-release-prototype/services/clusters.json b/audit/k8s-sig-release-prototype/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-sig-release-prototype/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-sig-release-prototype/services/enabled.json b/audit/k8s-sig-release-prototype/services/enabled.json new file mode 100644 index 00000000000..c53f35e671f --- /dev/null +++ b/audit/k8s-sig-release-prototype/services/enabled.json @@ -0,0 +1,255 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/248671828424/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/248671828424/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.iam.json b/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.iam.json new file mode 100644 index 00000000000..42a018c081b --- /dev/null +++ b/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-build-image", + "projectOwner:k8s-staging-build-image" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-build-image@kubernetes.io", + "projectViewer:k8s-staging-build-image" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-build-image@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAw=" +} diff --git a/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.txt b/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.txt new file mode 100644 index 00000000000..b5f779b82b4 --- /dev/null +++ b/audit/k8s-staging-build-image/buckets/artifacts.k8s-staging-build-image.appspot.com.txt @@ -0,0 +1,18 @@ +gs://artifacts.k8s-staging-build-image.appspot.com/containers/: + +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/: +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:0658c67655178cba28da2aed0c4e5977e8f1a5ca1ab231c031919b22336dcc0c +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:0ec52def2edc1a6f183b1336125c6eea7920f9e5d3b8d3124755157f32b3e60c +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:372744b62d49eba993652ee4a1201801fe278b687d85489101e07e7b9a4900e0 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:494c27a8a6b820f9167ec7e368b3a9bb47d7029f4dc8c97c67091f3757a5bc4e +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:6f2f362378c5a6fd915d96d11dda1e0223ccf213bf121ace56ae0f6616ea1dc8 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:72ae3d78aa171deba997f470253f202ae8917408c273ff0060b7d41de7d768c5 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:7596bb83081b6c8410df557d538a0ae45922cbf81e469c6f4cfa835247cb24ab +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:90e58f5ce63c198f3ea2d8c9c5e826528a3aefce518863b3c1feff2920238057 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:ace81789a93f36f87c674b2895296051c9b07ee8455e6e2472c918908395566a +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:c9a1ca7e4a49ca87d355de4e9e1f6b2204c9bb7888ebe2a521f6af5bf2d7bb10 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:e1dd18a2bda90cea2d1231d591b098ce9c3d74c82a4cf5b035b9c9470e81dcb6 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:e2db7748ddfa125f93b88af0d0c964cdcf09c87151d7c27b39c8992c6df6a2a2 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:ebe2b406c783a1c49f6e699a3e81ed9deaa2c8508cfb4554d5740649452fda93 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:f92a485079b27a34dc45803f91b6ab64713c352edfec0a5be5707ce75cc6ed49 +gs://artifacts.k8s-staging-build-image.appspot.com/containers/images/sha256:fc2529ce2b56e31490e3b720b4c50a5b1ec270be6a3687acb13c988054f44c5b diff --git a/audit/k8s-staging-build-image/buckets/k8s-staging-build-image.iam.json b/audit/k8s-staging-build-image/buckets/k8s-staging-build-image.iam.json new file mode 100644 index 00000000000..73f00eafd9b --- /dev/null +++ b/audit/k8s-staging-build-image/buckets/k8s-staging-build-image.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-build-image", + "projectOwner:k8s-staging-build-image" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-build-image@kubernetes.io", + "projectViewer:k8s-staging-build-image" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-build-image@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBU=" +} diff --git a/audit/k8s-staging-build-image/buckets/k8s-staging-build-image.txt b/audit/k8s-staging-build-image/buckets/k8s-staging-build-image.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-build-image/policy.json b/audit/k8s-staging-build-image/policy.json new file mode 100644 index 00000000000..f7caf66b35c --- /dev/null +++ b/audit/k8s-staging-build-image/policy.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-960211007710@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVk49Ais=", + "version": 1 +} diff --git a/audit/k8s-staging-build-image/roles.json b/audit/k8s-staging-build-image/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-build-image/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-build-image/services/enabled.json b/audit/k8s-staging-build-image/services/enabled.json new file mode 100644 index 00000000000..5df87801a81 --- /dev/null +++ b/audit/k8s-staging-build-image/services/enabled.json @@ -0,0 +1,75 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/960211007710/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/960211007710/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/960211007710/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/960211007710/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.iam.json b/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.iam.json new file mode 100644 index 00000000000..2665a8f777b --- /dev/null +++ b/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cip-test", + "projectOwner:k8s-staging-cip-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cip-test@kubernetes.io", + "projectViewer:k8s-staging-cip-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cip-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBQ=" +} diff --git a/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.txt b/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.txt new file mode 100644 index 00000000000..6a295283149 --- /dev/null +++ b/audit/k8s-staging-cip-test/buckets/artifacts.k8s-staging-cip-test.appspot.com.txt @@ -0,0 +1,8 @@ +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/: + +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/: +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/sha256:8155c53ed5ae8d3bde70c4ffb6ec0640e61ccefa008b52f8804a1f6ec53e2659 +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/sha256:85cea451eec057fa7e734548ca3ba6d779ed5836a3f9de14b8394575ef0d7d8e +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/sha256:c7ef9ed87f94892eadd9b22ad01ca0b433ec44fd58d78e7f0f2b8c283510cf51 +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/sha256:f14163d5af2994657006ed328244ff592f2e14f707ade415c6ca5043bbbda484 +gs://artifacts.k8s-staging-cip-test.appspot.com/containers/images/sha256:fad6a0797eaca67680fd6ca22165f1dc2cda1f70a1f84bed725ebcc255992dcc diff --git a/audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.iam.json b/audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.iam.json new file mode 100644 index 00000000000..bcfd1152397 --- /dev/null +++ b/audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cip-test", + "projectOwner:k8s-staging-cip-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cip-test@kubernetes.io", + "projectViewer:k8s-staging-cip-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cip-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBY=" +} diff --git a/audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.txt b/audit/k8s-staging-cip-test/buckets/k8s-staging-cip-test.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-cip-test/policy.json b/audit/k8s-staging-cip-test/policy.json new file mode 100644 index 00000000000..2995189d317 --- /dev/null +++ b/audit/k8s-staging-cip-test/policy.json @@ -0,0 +1,32 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-324460563566@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:324460563566-compute@developer.gserviceaccount.com", + "serviceAccount:324460563566@cloudservices.gserviceaccount.com", + "serviceAccount:service-324460563566@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVk_OZzM=", + "version": 1 +} diff --git a/audit/k8s-staging-cip-test/roles.json b/audit/k8s-staging-cip-test/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-cip-test/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-cip-test/services/clusters.json b/audit/k8s-staging-cip-test/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-cip-test/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-cip-test/services/enabled.json b/audit/k8s-staging-cip-test/services/enabled.json new file mode 100644 index 00000000000..f927206cdc4 --- /dev/null +++ b/audit/k8s-staging-cip-test/services/enabled.json @@ -0,0 +1,292 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/324460563566/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/324460563566/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/324460563566/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.iam.json b/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.iam.json new file mode 100644 index 00000000000..8b79ead8d27 --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cluster-api-aws", + "projectOwner:k8s-staging-cluster-api-aws" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cluster-api-aws@kubernetes.io", + "projectViewer:k8s-staging-cluster-api-aws" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cluster-api-aws@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAs=" +} diff --git a/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.txt b/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.txt new file mode 100644 index 00000000000..c84be1dab7e --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/buckets/artifacts.k8s-staging-cluster-api-aws.appspot.com.txt @@ -0,0 +1,7 @@ +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/: + +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/images/: +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/images/sha256:06367809424b06ef0c8a4c11083ca3d2a2dd4e5fe9bdb5b3074ba8b52bbd11ea +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/images/sha256:41d633039bbf795b04c097c6f127e26285d6e9242ae094915f347777dbdcf354 +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/images/sha256:47419798aef377165f783a954f4bb63f063e50166c4291b592602ab94fb38244 +gs://artifacts.k8s-staging-cluster-api-aws.appspot.com/containers/images/sha256:5f5edd681dcbc3a4a9df93e200e59e1708031e65b2299970eabdc91a78cc8234 diff --git a/audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.iam.json b/audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.iam.json new file mode 100644 index 00000000000..9bbaaeab256 --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cluster-api-aws", + "projectOwner:k8s-staging-cluster-api-aws" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cluster-api-aws@kubernetes.io", + "projectViewer:k8s-staging-cluster-api-aws" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cluster-api-aws@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBQ=" +} diff --git a/audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.txt b/audit/k8s-staging-cluster-api-aws/buckets/k8s-staging-cluster-api-aws.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-cluster-api-aws/policy.json b/audit/k8s-staging-cluster-api-aws/policy.json new file mode 100644 index 00000000000..77ce40e3a2b --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/policy.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-433651898792@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlLn3o0=", + "version": 1 +} diff --git a/audit/k8s-staging-cluster-api-aws/roles.json b/audit/k8s-staging-cluster-api-aws/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-cluster-api-aws/services/enabled.json b/audit/k8s-staging-cluster-api-aws/services/enabled.json new file mode 100644 index 00000000000..e7466de6ac8 --- /dev/null +++ b/audit/k8s-staging-cluster-api-aws/services/enabled.json @@ -0,0 +1,75 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/433651898792/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/433651898792/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/433651898792/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/433651898792/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.iam.json b/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.iam.json new file mode 100644 index 00000000000..8ae65befc9a --- /dev/null +++ b/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cluster-api", + "projectOwner:k8s-staging-cluster-api" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cluster-api@kubernetes.io", + "projectViewer:k8s-staging-cluster-api" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cluster-api@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBM=" +} diff --git a/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.txt b/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.txt new file mode 100644 index 00000000000..7acf3fd9239 --- /dev/null +++ b/audit/k8s-staging-cluster-api/buckets/artifacts.k8s-staging-cluster-api.appspot.com.txt @@ -0,0 +1,9 @@ +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/: + +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/: +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:1327a37c23a10f78f052dce7627f37f391f3823480207f4eb8ea825de5b40635 +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:1558143043601a425aa864511da238799b57fcf7d062d47044f6ddd0e04fe99a +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:269521def953f8e22145983d8496b281bc1ecc258c07b45ef253af7d79b98216 +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:4eeed99bc155eead8af4df58716cbaec330024b9382fc02e536fe48fda3feb02 +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:539d8cf2979903a23fb58dfb0f896a0fa6e7563d7a553db0854da7bb61e6eed9 +gs://artifacts.k8s-staging-cluster-api.appspot.com/containers/images/sha256:a1f6935156b3112da678af6308418e05b2f4c99cf94581a83483b3bd555e37f5 diff --git a/audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.iam.json b/audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.iam.json new file mode 100644 index 00000000000..4218480f648 --- /dev/null +++ b/audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-cluster-api", + "projectOwner:k8s-staging-cluster-api" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-cluster-api@kubernetes.io", + "projectViewer:k8s-staging-cluster-api" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-cluster-api@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBY=" +} diff --git a/audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.txt b/audit/k8s-staging-cluster-api/buckets/k8s-staging-cluster-api.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-cluster-api/policy.json b/audit/k8s-staging-cluster-api/policy.json new file mode 100644 index 00000000000..3bbab5319e9 --- /dev/null +++ b/audit/k8s-staging-cluster-api/policy.json @@ -0,0 +1,32 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-190130481896@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:190130481896-compute@developer.gserviceaccount.com", + "serviceAccount:190130481896@cloudservices.gserviceaccount.com", + "serviceAccount:service-190130481896@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlFZxzY=", + "version": 1 +} diff --git a/audit/k8s-staging-cluster-api/roles.json b/audit/k8s-staging-cluster-api/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-cluster-api/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-cluster-api/services/clusters.json b/audit/k8s-staging-cluster-api/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-cluster-api/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-cluster-api/services/enabled.json b/audit/k8s-staging-cluster-api/services/enabled.json new file mode 100644 index 00000000000..5e646aab633 --- /dev/null +++ b/audit/k8s-staging-cluster-api/services/enabled.json @@ -0,0 +1,292 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/190130481896/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/190130481896/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/190130481896/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.iam.json b/audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.iam.json new file mode 100644 index 00000000000..4598c793e6d --- /dev/null +++ b/audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-coredns", + "projectOwner:k8s-staging-coredns" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-coredns@kubernetes.io", + "projectViewer:k8s-staging-coredns" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-coredns@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBQ=" +} diff --git a/audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.txt b/audit/k8s-staging-coredns/buckets/artifacts.k8s-staging-coredns.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-coredns/buckets/k8s-staging-coredns.iam.json b/audit/k8s-staging-coredns/buckets/k8s-staging-coredns.iam.json new file mode 100644 index 00000000000..8ba06d00e64 --- /dev/null +++ b/audit/k8s-staging-coredns/buckets/k8s-staging-coredns.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-coredns", + "projectOwner:k8s-staging-coredns" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-coredns@kubernetes.io", + "projectViewer:k8s-staging-coredns" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-coredns@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CB4=" +} diff --git a/audit/k8s-staging-coredns/buckets/k8s-staging-coredns.txt b/audit/k8s-staging-coredns/buckets/k8s-staging-coredns.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-coredns/policy.json b/audit/k8s-staging-coredns/policy.json new file mode 100644 index 00000000000..77d1b270f06 --- /dev/null +++ b/audit/k8s-staging-coredns/policy.json @@ -0,0 +1,44 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-848617618266@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-848617618266@container-analysis.iam.gserviceaccount.com" + ], + "role": "roles/containeranalysis.ServiceAgent" + }, + { + "members": [ + "serviceAccount:service-848617618266@gcp-sa-containerscanning.iam.gserviceaccount.com" + ], + "role": "roles/containerscanning.ServiceAgent" + }, + { + "members": [ + "serviceAccount:848617618266-compute@developer.gserviceaccount.com", + "serviceAccount:848617618266@cloudservices.gserviceaccount.com", + "serviceAccount:service-848617618266@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlR0lzY=", + "version": 1 +} diff --git a/audit/k8s-staging-coredns/roles.json b/audit/k8s-staging-coredns/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-coredns/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-coredns/services/clusters.json b/audit/k8s-staging-coredns/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-coredns/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-coredns/services/enabled.json b/audit/k8s-staging-coredns/services/enabled.json new file mode 100644 index 00000000000..7a8e93d67a9 --- /dev/null +++ b/audit/k8s-staging-coredns/services/enabled.json @@ -0,0 +1,328 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/848617618266/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "An implementation of the Grafeas API, which stores, and enables querying and retrieval of critical metadata about all of your software artifacts." + }, + "name": "containeranalysis.googleapis.com", + "quota": {}, + "title": "Container Analysis API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/containeranalysis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/848617618266/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A service to scan containers for vulnerabilities." + }, + "name": "containerscanning.googleapis.com", + "quota": {}, + "title": "Container Scanning API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/containerscanning.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/848617618266/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.iam.json b/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.iam.json new file mode 100644 index 00000000000..7776ad3f8c5 --- /dev/null +++ b/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-csi", + "projectOwner:k8s-staging-csi" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-csi@kubernetes.io", + "projectViewer:k8s-staging-csi" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-csi@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBQ=" +} diff --git a/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.txt b/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.txt new file mode 100644 index 00000000000..ef609d3a8f0 --- /dev/null +++ b/audit/k8s-staging-csi/buckets/artifacts.k8s-staging-csi.appspot.com.txt @@ -0,0 +1,4 @@ +gs://artifacts.k8s-staging-csi.appspot.com/containers/: + +gs://artifacts.k8s-staging-csi.appspot.com/containers/images/: +gs://artifacts.k8s-staging-csi.appspot.com/containers/images/sha256:e0daa8927b685f8ec4098c03aca23a7ef5cc6fab18cd8ca3e0a1d5c211cba474 diff --git a/audit/k8s-staging-csi/buckets/k8s-staging-csi.iam.json b/audit/k8s-staging-csi/buckets/k8s-staging-csi.iam.json new file mode 100644 index 00000000000..47ff35747b1 --- /dev/null +++ b/audit/k8s-staging-csi/buckets/k8s-staging-csi.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-csi", + "projectOwner:k8s-staging-csi" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-csi@kubernetes.io", + "projectViewer:k8s-staging-csi" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-csi@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBk=" +} diff --git a/audit/k8s-staging-csi/buckets/k8s-staging-csi.txt b/audit/k8s-staging-csi/buckets/k8s-staging-csi.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-csi/policy.json b/audit/k8s-staging-csi/policy.json new file mode 100644 index 00000000000..b4e150c059f --- /dev/null +++ b/audit/k8s-staging-csi/policy.json @@ -0,0 +1,32 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-874328413592@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:874328413592-compute@developer.gserviceaccount.com", + "serviceAccount:874328413592@cloudservices.gserviceaccount.com", + "serviceAccount:service-874328413592@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlX7SlU=", + "version": 1 +} diff --git a/audit/k8s-staging-csi/roles.json b/audit/k8s-staging-csi/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-csi/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-csi/services/clusters.json b/audit/k8s-staging-csi/services/clusters.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-csi/services/clusters.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-csi/services/enabled.json b/audit/k8s-staging-csi/services/enabled.json new file mode 100644 index 00000000000..1108cc9290d --- /dev/null +++ b/audit/k8s-staging-csi/services/enabled.json @@ -0,0 +1,292 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates and runs virtual machines on Google Cloud Platform.\n" + }, + "name": "compute.googleapis.com", + "quota": {}, + "title": "Compute Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/874328413592/services/compute.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/874328413592/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages OS login configuration for Google account users." + }, + "name": "oslogin.googleapis.com", + "quota": {}, + "title": "Cloud OS Login API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/oslogin.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/874328413592/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.iam.json b/audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.iam.json new file mode 100644 index 00000000000..d0a5bd18e78 --- /dev/null +++ b/audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-kops", + "projectOwner:k8s-staging-kops" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-kops@kubernetes.io", + "projectViewer:k8s-staging-kops" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-kops@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBA=" +} diff --git a/audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.txt b/audit/k8s-staging-kops/buckets/artifacts.k8s-staging-kops.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-kops/buckets/k8s-staging-kops.iam.json b/audit/k8s-staging-kops/buckets/k8s-staging-kops.iam.json new file mode 100644 index 00000000000..342f774135b --- /dev/null +++ b/audit/k8s-staging-kops/buckets/k8s-staging-kops.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-kops", + "projectOwner:k8s-staging-kops" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-kops@kubernetes.io", + "projectViewer:k8s-staging-kops" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-kops@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBs=" +} diff --git a/audit/k8s-staging-kops/buckets/k8s-staging-kops.txt b/audit/k8s-staging-kops/buckets/k8s-staging-kops.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-kops/policy.json b/audit/k8s-staging-kops/policy.json new file mode 100644 index 00000000000..5c1888bb1f5 --- /dev/null +++ b/audit/k8s-staging-kops/policy.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-889470918518@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVleGkgU=", + "version": 1 +} diff --git a/audit/k8s-staging-kops/roles.json b/audit/k8s-staging-kops/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-kops/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-kops/services/enabled.json b/audit/k8s-staging-kops/services/enabled.json new file mode 100644 index 00000000000..a23fe256e24 --- /dev/null +++ b/audit/k8s-staging-kops/services/enabled.json @@ -0,0 +1,255 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "A data platform for customers to create, manage, share and query data." + }, + "name": "bigquery-json.googleapis.com", + "quota": {}, + "title": "BigQuery API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/bigquery-json.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "This is a meta service for Google Cloud APIs for convenience. Enabling this service enables all commonly used Google Cloud APIs for the project. By default, it is enabled for all projects created through Google Cloud Console and Google Cloud SDK, and should be manually enabled for all other projects that intend to use Google Cloud APIs. Note: disabling this service has no effect on other services.\n" + }, + "name": "cloudapis.googleapis.com", + "quota": {}, + "title": "Google Cloud APIs", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/cloudapis.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Examines the call stack and variables of a running application without stopping or slowing it down.\n" + }, + "name": "clouddebugger.googleapis.com", + "quota": {}, + "title": "Stackdriver Debugger API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/clouddebugger.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n" + }, + "name": "cloudtrace.googleapis.com", + "quota": {}, + "title": "Stackdriver Trace API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/cloudtrace.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/889470918518/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Accesses the schemaless NoSQL database to provide fully managed, robust, scalable storage for your application.\n" + }, + "name": "datastore.googleapis.com", + "quota": {}, + "title": "Cloud Datastore API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/datastore.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Logging documentation](/logging/docs)." + }, + "name": "logging.googleapis.com", + "quota": {}, + "title": "Stackdriver Logging API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/logging.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n" + }, + "name": "monitoring.googleapis.com", + "quota": {}, + "title": "Stackdriver Monitoring API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/monitoring.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Service Management allows service producers to publish their services on Google Cloud Platform so that they can be discovered and used by service consumers." + }, + "name": "servicemanagement.googleapis.com", + "quota": {}, + "title": "Service Management API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/servicemanagement.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Enables services that service consumers want to use on Google Cloud Platform, lists the available or enabled services, or disables services that service consumers no longer use." + }, + "name": "serviceusage.googleapis.com", + "quota": {}, + "title": "Service Usage API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/serviceusage.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud SQL is a hosted and fully managed relational database service\n on Google's infrastructure." + }, + "name": "sql-component.googleapis.com", + "quota": {}, + "title": "Cloud SQL", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/sql-component.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/889470918518/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.iam.json b/audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.iam.json new file mode 100644 index 00000000000..2b89ecb221d --- /dev/null +++ b/audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-publishing-bot", + "projectOwner:k8s-staging-publishing-bot" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-publishing-bot@kubernetes.io", + "projectViewer:k8s-staging-publishing-bot" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-publishing-bot@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAw=" +} diff --git a/audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.txt b/audit/k8s-staging-publishing-bot/buckets/artifacts.k8s-staging-publishing-bot.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.iam.json b/audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.iam.json new file mode 100644 index 00000000000..da956300b11 --- /dev/null +++ b/audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-publishing-bot", + "projectOwner:k8s-staging-publishing-bot" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-publishing-bot@kubernetes.io", + "projectViewer:k8s-staging-publishing-bot" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-publishing-bot@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBQ=" +} diff --git a/audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.txt b/audit/k8s-staging-publishing-bot/buckets/k8s-staging-publishing-bot.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-publishing-bot/policy.json b/audit/k8s-staging-publishing-bot/policy.json new file mode 100644 index 00000000000..88ec9299a8e --- /dev/null +++ b/audit/k8s-staging-publishing-bot/policy.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-438481731081@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:thockin@google.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlkQGFo=", + "version": 1 +} diff --git a/audit/k8s-staging-publishing-bot/roles.json b/audit/k8s-staging-publishing-bot/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-publishing-bot/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-publishing-bot/services/enabled.json b/audit/k8s-staging-publishing-bot/services/enabled.json new file mode 100644 index 00000000000..c26dc44d0b3 --- /dev/null +++ b/audit/k8s-staging-publishing-bot/services/enabled.json @@ -0,0 +1,75 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/438481731081/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/438481731081/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/438481731081/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/438481731081/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.iam.json b/audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.iam.json new file mode 100644 index 00000000000..9f79def13bd --- /dev/null +++ b/audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-release-test", + "projectOwner:k8s-staging-release-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-release-test@kubernetes.io", + "projectViewer:k8s-staging-release-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-release-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CAo=" +} diff --git a/audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.txt b/audit/k8s-staging-release-test/buckets/artifacts.k8s-staging-release-test.appspot.com.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-release-test/buckets/k8s-staging-release-test.iam.json b/audit/k8s-staging-release-test/buckets/k8s-staging-release-test.iam.json new file mode 100644 index 00000000000..02436239d5a --- /dev/null +++ b/audit/k8s-staging-release-test/buckets/k8s-staging-release-test.iam.json @@ -0,0 +1,33 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "projectEditor:k8s-staging-release-test", + "projectOwner:k8s-staging-release-test" + ], + "role": "roles/storage.legacyBucketOwner" + }, + { + "members": [ + "group:k8s-infra-staging-release-test@kubernetes.io", + "projectViewer:k8s-staging-release-test" + ], + "role": "roles/storage.legacyBucketReader" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-staging-release-test@kubernetes.io" + ], + "role": "roles/storage.objectAdmin" + }, + { + "members": [ + "allUsers" + ], + "role": "roles/storage.objectViewer" + } + ], + "etag": "CBI=" +} diff --git a/audit/k8s-staging-release-test/buckets/k8s-staging-release-test.txt b/audit/k8s-staging-release-test/buckets/k8s-staging-release-test.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/audit/k8s-staging-release-test/policy.json b/audit/k8s-staging-release-test/policy.json new file mode 100644 index 00000000000..e76db84a30c --- /dev/null +++ b/audit/k8s-staging-release-test/policy.json @@ -0,0 +1,24 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-634027639865@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:davanum@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io" + ], + "role": "roles/viewer" + } + ], + "etag": "BwWNVlqeM2s=", + "version": 1 +} diff --git a/audit/k8s-staging-release-test/roles.json b/audit/k8s-staging-release-test/roles.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/k8s-staging-release-test/roles.json @@ -0,0 +1 @@ +[] diff --git a/audit/k8s-staging-release-test/services/enabled.json b/audit/k8s-staging-release-test/services/enabled.json new file mode 100644 index 00000000000..76373c5c768 --- /dev/null +++ b/audit/k8s-staging-release-test/services/enabled.json @@ -0,0 +1,75 @@ +[ + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/634027639865/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/634027639865/services/pubsub.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Lets you store and retrieve potentially-large, immutable data objects." + }, + "name": "storage-api.googleapis.com", + "quota": {}, + "title": "Google Cloud Storage JSON API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/634027639865/services/storage-api.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Cloud Storage is a RESTful service for storing and accessing your data on Google's\n infrastructure." + }, + "name": "storage-component.googleapis.com", + "quota": {}, + "title": "Cloud Storage", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/634027639865/services/storage-component.googleapis.com", + "state": "ENABLED" + } +] diff --git a/audit/kubernetes-public/buckets/kubernetes_public_billing.txt b/audit/kubernetes-public/buckets/kubernetes_public_billing.txt index a9528660674..23ccd07ddcd 100644 --- a/audit/kubernetes-public/buckets/kubernetes_public_billing.txt +++ b/audit/kubernetes-public/buckets/kubernetes_public_billing.txt @@ -154,3 +154,28 @@ gs://kubernetes_public_billing/billing--2019-06-11.csv gs://kubernetes_public_billing/billing--2019-06-12.csv gs://kubernetes_public_billing/billing--2019-06-13.csv gs://kubernetes_public_billing/billing--2019-06-14.csv +gs://kubernetes_public_billing/billing--2019-06-15.csv +gs://kubernetes_public_billing/billing--2019-06-16.csv +gs://kubernetes_public_billing/billing--2019-06-17.csv +gs://kubernetes_public_billing/billing--2019-06-18.csv +gs://kubernetes_public_billing/billing--2019-06-19.csv +gs://kubernetes_public_billing/billing--2019-06-20.csv +gs://kubernetes_public_billing/billing--2019-06-21.csv +gs://kubernetes_public_billing/billing--2019-06-22.csv +gs://kubernetes_public_billing/billing--2019-06-23.csv +gs://kubernetes_public_billing/billing--2019-06-24.csv +gs://kubernetes_public_billing/billing--2019-06-25.csv +gs://kubernetes_public_billing/billing--2019-06-26.csv +gs://kubernetes_public_billing/billing--2019-06-27.csv +gs://kubernetes_public_billing/billing--2019-06-28.csv +gs://kubernetes_public_billing/billing--2019-06-29.csv +gs://kubernetes_public_billing/billing--2019-06-30.csv +gs://kubernetes_public_billing/billing--2019-07-01.csv +gs://kubernetes_public_billing/billing--2019-07-02.csv +gs://kubernetes_public_billing/billing--2019-07-03.csv +gs://kubernetes_public_billing/billing--2019-07-04.csv +gs://kubernetes_public_billing/billing--2019-07-05.csv +gs://kubernetes_public_billing/billing--2019-07-06.csv +gs://kubernetes_public_billing/billing--2019-07-07.csv +gs://kubernetes_public_billing/billing--2019-07-08.csv +gs://kubernetes_public_billing/billing--2019-07-09.csv diff --git a/audit/kubernetes-public/policy.json b/audit/kubernetes-public/policy.json index 36fa00e93ee..5ae6cd329a6 100644 --- a/audit/kubernetes-public/policy.json +++ b/audit/kubernetes-public/policy.json @@ -20,6 +20,7 @@ }, { "members": [ + "serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com", "serviceAccount:service-127754664067@compute-system.iam.gserviceaccount.com" ], "role": "roles/compute.serviceAgent" @@ -51,6 +52,8 @@ { "members": [ "serviceAccount:127754664067-compute@developer.gserviceaccount.com", + "serviceAccount:127754664067@cloudservices.gserviceaccount.com", + "serviceAccount:service-127754664067@containerregistry.iam.gserviceaccount.com", "serviceAccount:127754664067@cloudservices.gserviceaccount.com" ], "role": "roles/editor" @@ -94,6 +97,6 @@ "role": "roles/owner" } ], - "etag": "BwWLI83k-Rw=", + "etag": "BwWLnZU4oG4=", "version": 1 } diff --git a/audit/kubernetes-public/services/clusters.json b/audit/kubernetes-public/services/clusters.json index 39eb4c01a2c..d4fe6c68828 100644 --- a/audit/kubernetes-public/services/clusters.json +++ b/audit/kubernetes-public/services/clusters.json @@ -10,7 +10,7 @@ }, "clusterIpv4Cidr": "10.36.0.0/14", "createTime": "2019-01-09T06:05:43+00:00", - "currentMasterVersion": "1.11.8-gke.6", + "currentMasterVersion": "1.11.10-gke.5", "currentNodeCount": 1, "currentNodeVersion": "1.11.6-gke.6 *", "defaultMaxPodsConstraint": { @@ -97,7 +97,7 @@ }, "clusterIpv4Cidr": "10.48.0.0/14", "createTime": "2019-03-09T04:16:34+00:00", - "currentMasterVersion": "1.11.8-gke.6", + "currentMasterVersion": "1.11.10-gke.5", "currentNodeCount": 1, "currentNodeVersion": "1.11.6-gke.6 *", "defaultMaxPodsConstraint": { diff --git a/audit/kubernetes-public/services/enabled.json b/audit/kubernetes-public/services/enabled.json index d1ebe5f8e79..ff5255ed05a 100644 --- a/audit/kubernetes-public/services/enabled.json +++ b/audit/kubernetes-public/services/enabled.json @@ -36,6 +36,44 @@ "name": "projects/127754664067/services/compute.googleapis.com", "state": "ENABLED" }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Builds and manages container-based applications, powered by the open source Kubernetes technology." + }, + "name": "container.googleapis.com", + "quota": {}, + "title": "Kubernetes Engine API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/127754664067/services/container.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Google Container Registry provides secure, private Docker image storage on Google Cloud Platform. Our API follows the Docker Registry API specification, so we are fully compatible with the Docker CLI client, as well as standard tooling using the Docker Registry API." + }, + "name": "containerregistry.googleapis.com", + "quota": {}, + "title": "Container Registry API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud", + "serviceusage.googleapis.com/billing-enabled" + ] + } + }, + "name": "projects/127754664067/services/containerregistry.googleapis.com", + "state": "ENABLED" + }, { "config": { "authentication": {}, @@ -53,6 +91,42 @@ "name": "projects/127754664067/services/dns.googleapis.com", "state": "ENABLED" }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Manages identity and access control for Google Cloud Platform resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls." + }, + "name": "iam.googleapis.com", + "quota": {}, + "title": "Identity and Access Management (IAM) API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/iam.googleapis.com", + "state": "ENABLED" + }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Creates short-lived, limited-privilege credentials for IAM service accounts." + }, + "name": "iamcredentials.googleapis.com", + "quota": {}, + "title": "IAM Service Account Credentials API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/iamcredentials.googleapis.com", + "state": "ENABLED" + }, { "config": { "authentication": {}, @@ -107,6 +181,24 @@ "name": "projects/127754664067/services/oslogin.googleapis.com", "state": "ENABLED" }, + { + "config": { + "authentication": {}, + "documentation": { + "summary": "Provides reliable, many-to-many, asynchronous messaging between applications.\n" + }, + "name": "pubsub.googleapis.com", + "quota": {}, + "title": "Cloud Pub/Sub API", + "usage": { + "requirements": [ + "serviceusage.googleapis.com/tos/cloud" + ] + } + }, + "name": "projects/127754664067/services/pubsub.googleapis.com", + "state": "ENABLED" + }, { "config": { "authentication": {}, diff --git a/audit/log.mkd b/audit/log.mkd new file mode 100644 index 00000000000..797ef930df3 --- /dev/null +++ b/audit/log.mkd @@ -0,0 +1,264 @@ +# Auditing CNCF CGP Org: 758905017065 # +## Iterating over Projects ## +### Auditing Project: k8s-release-test-prod ### +#### Iterating over k8s-release-test-prod Services: #### +TODO: compute Needs compute.projects.get +# Unhandled Service containeranalysis # +# Unhandled Service containerregistry # +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-release-test ### +#### Iterating over k8s-staging-release-test Services: #### +# Unhandled Service containerregistry # +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-build-image ### +#### Iterating over k8s-staging-build-image Services: #### +# Unhandled Service containerregistry # +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-cluster-api-aws ### +#### Iterating over k8s-staging-cluster-api-aws Services: #### +# Unhandled Service containerregistry # +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-publishing-bot ### +#### Iterating over k8s-staging-publishing-bot Services: #### +# Unhandled Service containerregistry # +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-gsuite ### +#### Iterating over k8s-gsuite Services: #### +# Unhandled Service admin # +# Unhandled Service groupssettings # +### Auditing Project: k8s-staging-kops ### +#### Iterating over k8s-staging-kops Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +# Unhandled Service containerregistry # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-infra-dev-cluster-turnup ### +#### Iterating over k8s-infra-dev-cluster-turnup Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service bigtable # +# Unhandled Service bigtableadmin # +# Unhandled Service cloudapis # +# Unhandled Service cloudbuild # +# Unhandled Service clouddebugger # +# Unhandled Service cloudresourcemanager # +# Unhandled Service cloudscheduler # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service container # +# Unhandled Service containerregistry # +# Unhandled Service datastore # +Processing: dns +# Unhandled Service iam # +# Unhandled Service iamcredentials # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +# Unhandled Service stackdriver # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-artifacts-graveyard ### +#### Iterating over k8s-artifacts-graveyard Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containeranalysis # +# Unhandled Service containerregistry # +# Unhandled Service containerscanning # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-artifacts-prod ### +#### Iterating over k8s-artifacts-prod Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containeranalysis # +# Unhandled Service containerregistry # +# Unhandled Service containerscanning # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-sig-release-prototype ### +#### Iterating over k8s-sig-release-prototype Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-cip-test-prod ### +#### Iterating over k8s-cip-test-prod Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containeranalysis # +# Unhandled Service containerregistry # +# Unhandled Service containerscanning # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-cip-test ### +#### Iterating over k8s-staging-cip-test Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containerregistry # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-csi ### +#### Iterating over k8s-staging-csi Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containerregistry # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-cluster-api ### +#### Iterating over k8s-staging-cluster-api Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containerregistry # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: k8s-staging-coredns ### +#### Iterating over k8s-staging-coredns Services: #### +TODO: Verify how Big Query is configured / audited +# Unhandled Service cloudapis # +# Unhandled Service clouddebugger # +# Unhandled Service cloudtrace # +TODO: compute Needs compute.projects.get +# Unhandled Service containeranalysis # +# Unhandled Service containerregistry # +# Unhandled Service containerscanning # +# Unhandled Service datastore # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +# Unhandled Service servicemanagement # +# Unhandled Service serviceusage # +# Unhandled Service sql-component # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing +### Auditing Project: kubernetes-public ### +#### Iterating over kubernetes-public Services: #### +TODO: Verify how Big Query is configured / audited +TODO: compute Needs compute.projects.get +# Unhandled Service container # +# Unhandled Service containerregistry # +Processing: dns +# Unhandled Service iam # +# Unhandled Service iamcredentials # +TODO: logging needs serviceusage.services.use +TODO: monitoring needs serviceusage.services.use +TODO: Verify how OS Login is configured / audited +# Unhandled Service pubsub # +TODO: storage-api needs storage.buckets.get for auditors +...to kubernetes_public_billing and any newer buckets... +TODO: Ensure bucket-policy-only, for simplicity in Auditing