diff --git a/audit/projects/k8s-artifacts-prod/services/logging/logs.json b/audit/projects/k8s-artifacts-prod/services/logging/logs.json index 96ee568d4dd7..cff8777dc05b 100644 --- a/audit/projects/k8s-artifacts-prod/services/logging/logs.json +++ b/audit/projects/k8s-artifacts-prod/services/logging/logs.json @@ -5,5 +5,6 @@ "projects/k8s-artifacts-prod/logs/clouderrorreporting.googleapis.com%2Finsights", "projects/k8s-artifacts-prod/logs/requests", "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests", - "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr" + "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr", + "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fvarlog%2Fsystem" ] diff --git a/audit/projects/k8s-gcr-audit-test-prod/services/logging/logs.json b/audit/projects/k8s-gcr-audit-test-prod/services/logging/logs.json index 4eb17f2f1a14..c2223d429520 100644 --- a/audit/projects/k8s-gcr-audit-test-prod/services/logging/logs.json +++ b/audit/projects/k8s-gcr-audit-test-prod/services/logging/logs.json @@ -1,4 +1,5 @@ [ + "projects/k8s-gcr-audit-test-prod/logs/cip-audit-log", "projects/k8s-gcr-audit-test-prod/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-gcr-audit-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event", "projects/k8s-gcr-audit-test-prod/logs/clouderrorreporting.googleapis.com%2Finsights", diff --git a/audit/projects/k8s-infra-prow-build-trusted/services/logging/logs.json b/audit/projects/k8s-infra-prow-build-trusted/services/logging/logs.json index 0bece4baa1c3..db73aa720902 100644 --- a/audit/projects/k8s-infra-prow-build-trusted/services/logging/logs.json +++ b/audit/projects/k8s-infra-prow-build-trusted/services/logging/logs.json @@ -2,6 +2,7 @@ "projects/k8s-infra-prow-build-trusted/logs/OSConfigAgent", "projects/k8s-infra-prow-build-trusted/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-infra-prow-build-trusted/logs/cloudaudit.googleapis.com%2Fsystem_event", + "projects/k8s-infra-prow-build-trusted/logs/clouderrorreporting.googleapis.com%2Finsights", "projects/k8s-infra-prow-build-trusted/logs/compute.googleapis.com%2Fshielded_vm_integrity", "projects/k8s-infra-prow-build-trusted/logs/container-runtime", "projects/k8s-infra-prow-build-trusted/logs/container.googleapis.com%2Fcluster-autoscaler-visibility", diff --git a/audit/projects/k8s-infra-public-pii/iam.json b/audit/projects/k8s-infra-public-pii/iam.json index d801b21c749a..18a6b600739f 100644 --- a/audit/projects/k8s-infra-public-pii/iam.json +++ b/audit/projects/k8s-infra-public-pii/iam.json @@ -1,5 +1,17 @@ { "bindings": [ + { + "members": [ + "serviceAccount:bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com" + ], + "role": "roles/bigquery.dataEditor" + }, + { + "members": [ + "serviceAccount:service-226195303281@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com" + ], + "role": "roles/bigquerydatatransfer.serviceAgent" + }, { "members": [ "user:ameukam@gmail.com" diff --git a/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/description.json b/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/description.json new file mode 100644 index 000000000000..314163b5c1d3 --- /dev/null +++ b/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "description": "Service Acccount BigQuery Data Transfer", + "email": "bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com", + "name": "projects/k8s-infra-public-pii/serviceAccounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com", + "oauth2ClientId": "105765836197633619709", + "projectId": "k8s-infra-public-pii", + "uniqueId": "105765836197633619709" +} diff --git a/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/iam.json new file mode 100644 index 000000000000..0967ef424bce --- /dev/null +++ b/audit/projects/k8s-infra-public-pii/service-accounts/bq-data-transfer@k8s-infra-public-pii.iam.gserviceaccount.com/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json index e917e3bce50b..c86a80910854 100644 --- a/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json +++ b/audit/projects/k8s-infra-public-pii/services/bigquery/bigquery.datasets.k8s_infra_artifacts_gcslogs.access.json @@ -3,6 +3,10 @@ "role": "WRITER", "specialGroup": "projectWriters" }, + { + "role": "WRITER", + "userByEmail": "service-226195303281@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com" + }, { "role": "OWNER", "specialGroup": "projectOwners" diff --git a/audit/projects/k8s-infra-public-pii/services/logging/logs.json b/audit/projects/k8s-infra-public-pii/services/logging/logs.json index acfd4bcf1d46..f7115baf11b7 100644 --- a/audit/projects/k8s-infra-public-pii/services/logging/logs.json +++ b/audit/projects/k8s-infra-public-pii/services/logging/logs.json @@ -1,4 +1,5 @@ [ + "projects/k8s-infra-public-pii/logs/bigquerydatatransfer.googleapis.com%2Ftransfer_config", "projects/k8s-infra-public-pii/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-infra-public-pii/logs/cloudaudit.googleapis.com%2Fdata_access" ] diff --git a/audit/projects/k8s-staging-boskos/services/logging/logs.json b/audit/projects/k8s-staging-boskos/services/logging/logs.json index 359024d99974..81dd40722fd4 100644 --- a/audit/projects/k8s-staging-boskos/services/logging/logs.json +++ b/audit/projects/k8s-staging-boskos/services/logging/logs.json @@ -1,3 +1,4 @@ [ - "projects/k8s-staging-boskos/logs/cloudaudit.googleapis.com%2Factivity" + "projects/k8s-staging-boskos/logs/cloudaudit.googleapis.com%2Factivity", + "projects/k8s-staging-boskos/logs/cloudbuild" ] diff --git a/audit/projects/k8s-staging-capi-kubeadm/services/logging/logs.json b/audit/projects/k8s-staging-capi-kubeadm/services/logging/logs.json index 9b29dcbcefd3..362f246edbdb 100644 --- a/audit/projects/k8s-staging-capi-kubeadm/services/logging/logs.json +++ b/audit/projects/k8s-staging-capi-kubeadm/services/logging/logs.json @@ -1,3 +1,4 @@ [ - "projects/k8s-staging-capi-kubeadm/logs/cloudaudit.googleapis.com%2Factivity" + "projects/k8s-staging-capi-kubeadm/logs/cloudaudit.googleapis.com%2Factivity", + "projects/k8s-staging-capi-kubeadm/logs/cloudbuild" ] diff --git a/audit/projects/k8s-staging-prometheus-adapter/services/logging/logs.json b/audit/projects/k8s-staging-prometheus-adapter/services/logging/logs.json index a375c8e53747..4eb523461ae4 100644 --- a/audit/projects/k8s-staging-prometheus-adapter/services/logging/logs.json +++ b/audit/projects/k8s-staging-prometheus-adapter/services/logging/logs.json @@ -1,5 +1,4 @@ [ "projects/k8s-staging-prometheus-adapter/logs/cloudaudit.googleapis.com%2Factivity", - "projects/k8s-staging-prometheus-adapter/logs/cloudaudit.googleapis.com%2Fsystem_event", "projects/k8s-staging-prometheus-adapter/logs/cloudbuild" ] diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json index 097185ae6b57..c303e5513c15 100644 --- a/audit/projects/kubernetes-public/iam.json +++ b/audit/projects/kubernetes-public/iam.json @@ -26,7 +26,7 @@ }, { "members": [ - "serviceAccount:service-127754664067@gcf-admin-robot.iam.gserviceaccount.com" + "deleted:serviceAccount:service-127754664067@gcf-admin-robot.iam.gserviceaccount.com?uid=116904371009860244686" ], "role": "roles/cloudfunctions.serviceAgent" }, diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/description.json b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/description.json new file mode 100644 index 000000000000..6127e45bccdb --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/description.json @@ -0,0 +1,7 @@ +{ + "createTime": "2021-07-28T16:51:19.454161Z", + "name": "projects/127754664067/secrets/k8s-infra-ci-robot-github-account-password", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/iam.json b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/iam.json new file mode 100644 index 000000000000..5fde1248c67c --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-ci-robot@kubernetes.io" + ], + "role": "roles/secretmanager.admin" + } + ], + "version": 1 +} diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/versions.json b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/versions.json new file mode 100644 index 000000000000..3db4684898db --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-account-password/versions.json @@ -0,0 +1,11 @@ +[ + { + "createTime": "2021-07-28T16:51:21.137022Z", + "etag": "\"15c831cbc42b7e\"", + "name": "projects/127754664067/secrets/k8s-infra-ci-robot-github-account-password/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + } +] diff --git a/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-token/iam.json b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-token/iam.json index 67b884f1c927..004846b33c3d 100644 --- a/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-token/iam.json +++ b/audit/projects/kubernetes-public/secrets/k8s-infra-ci-robot-github-token/iam.json @@ -5,6 +5,12 @@ "group:k8s-infra-rbac-prow@kubernetes.io" ], "role": "roles/secretmanager.admin" + }, + { + "members": [ + "serviceAccount:kubernetes-external-secrets@k8s-infra-prow-build-trusted.iam.gserviceaccount.com" + ], + "role": "roles/secretmanager.secretAccessor" } ], "version": 1 diff --git a/audit/projects/kubernetes-public/services/enabled.txt b/audit/projects/kubernetes-public/services/enabled.txt index 57499919b5e4..b0235ca621b1 100644 --- a/audit/projects/kubernetes-public/services/enabled.txt +++ b/audit/projects/kubernetes-public/services/enabled.txt @@ -2,8 +2,6 @@ NAME TITLE bigquery.googleapis.com BigQuery API bigquerystorage.googleapis.com BigQuery Storage API cloudasset.googleapis.com Cloud Asset API -clouderrorreporting.googleapis.com Error Reporting API -cloudfunctions.googleapis.com Cloud Functions API cloudresourcemanager.googleapis.com Cloud Resource Manager API cloudshell.googleapis.com Cloud Shell API compute.googleapis.com Compute Engine API @@ -18,7 +16,6 @@ oslogin.googleapis.com Cloud OS Login API pubsub.googleapis.com Cloud Pub/Sub API secretmanager.googleapis.com Secret Manager API serviceusage.googleapis.com Service Usage API -source.googleapis.com Legacy Cloud Source Repositories API stackdriver.googleapis.com Stackdriver API storage-api.googleapis.com Google Cloud Storage JSON API storage-component.googleapis.com Cloud Storage diff --git a/audit/projects/kubernetes-public/services/logging/logs.json b/audit/projects/kubernetes-public/services/logging/logs.json index 9c6c6ba4f760..366b57cf89d6 100644 --- a/audit/projects/kubernetes-public/services/logging/logs.json +++ b/audit/projects/kubernetes-public/services/logging/logs.json @@ -17,6 +17,7 @@ "projects/kubernetes-public/logs/kubelet-monitor", "projects/kubernetes-public/logs/monitoring.googleapis.com%2FViolationAutoResolveEventv1", "projects/kubernetes-public/logs/monitoring.googleapis.com%2FViolationOpenEventv1", + "projects/kubernetes-public/logs/monitoring.googleapis.com%2Fuptime_checks", "projects/kubernetes-public/logs/node-problem-detector", "projects/kubernetes-public/logs/requests", "projects/kubernetes-public/logs/serialconsole.googleapis.com%2Fserial_port_1_output",