Skip to content

Commit

Permalink
audit: update as of 2021-05-06
Browse files Browse the repository at this point in the history
  • Loading branch information
@cncf-ci
cncf-ci committed May 6, 2021
1 parent 0fb263f commit 2c894d8
Show file tree
Hide file tree
Showing 5 changed files with 159 additions and 6 deletions.
6 changes: 6 additions & 0 deletions audit/org_kubernetes.io/iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,12 @@
],
"role": "roles/iam.securityReviewer"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/orgpolicy.policyAdmin"
},
{
"members": [
"group:[email protected]"
Expand Down
133 changes: 130 additions & 3 deletions audit/org_kubernetes.io/roles/audit.viewer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,100 @@
"binaryauthorization.policy.getIamPolicy",
"clientauthconfig.brands.list",
"clientauthconfig.clients.list",
"cloudasset.assets.analyzeIamPolicy",
"cloudasset.assets.exportAccessLevel",
"cloudasset.assets.exportAccessPolicy",
"cloudasset.assets.exportAllAccessPolicy",
"cloudasset.assets.exportAppengineApplications",
"cloudasset.assets.exportAppengineServices",
"cloudasset.assets.exportAppengineVersions",
"cloudasset.assets.exportBigqueryDatasets",
"cloudasset.assets.exportBigqueryTables",
"cloudasset.assets.exportBigtableCluster",
"cloudasset.assets.exportBigtableInstance",
"cloudasset.assets.exportBigtableTable",
"cloudasset.assets.exportCloudbillingBillingAccounts",
"cloudasset.assets.exportCloudkmsCryptoKeyVersions",
"cloudasset.assets.exportCloudkmsCryptoKeys",
"cloudasset.assets.exportCloudkmsImportJobs",
"cloudasset.assets.exportCloudkmsKeyRings",
"cloudasset.assets.exportCloudresourcemanagerFolders",
"cloudasset.assets.exportCloudresourcemanagerOrganizations",
"cloudasset.assets.exportCloudresourcemanagerProjects",
"cloudasset.assets.exportComputeAddress",
"cloudasset.assets.exportComputeAutoscalers",
"cloudasset.assets.exportComputeBackendBuckets",
"cloudasset.assets.exportComputeBackendServices",
"cloudasset.assets.exportComputeDisks",
"cloudasset.assets.exportComputeFirewalls",
"cloudasset.assets.exportComputeForwardingRules",
"cloudasset.assets.exportComputeGlobalAddress",
"cloudasset.assets.exportComputeGlobalForwardingRules",
"cloudasset.assets.exportComputeHealthChecks",
"cloudasset.assets.exportComputeHttpHealthChecks",
"cloudasset.assets.exportComputeHttpsHealthChecks",
"cloudasset.assets.exportComputeImages",
"cloudasset.assets.exportComputeInstanceGroupManagers",
"cloudasset.assets.exportComputeInstanceGroups",
"cloudasset.assets.exportComputeInstanceTemplates",
"cloudasset.assets.exportComputeInstances",
"cloudasset.assets.exportComputeInterconnect",
"cloudasset.assets.exportComputeInterconnectAttachment",
"cloudasset.assets.exportComputeLicenses",
"cloudasset.assets.exportComputeNetworks",
"cloudasset.assets.exportComputeProjects",
"cloudasset.assets.exportComputeRegionAutoscaler",
"cloudasset.assets.exportComputeRegionBackendServices",
"cloudasset.assets.exportComputeRegionDisk",
"cloudasset.assets.exportComputeRegionInstanceGroup",
"cloudasset.assets.exportComputeRegionInstanceGroupManager",
"cloudasset.assets.exportComputeRouters",
"cloudasset.assets.exportComputeRoutes",
"cloudasset.assets.exportComputeSecurityPolicy",
"cloudasset.assets.exportComputeSnapshots",
"cloudasset.assets.exportComputeSslCertificates",
"cloudasset.assets.exportComputeSubnetworks",
"cloudasset.assets.exportComputeTargetHttpProxies",
"cloudasset.assets.exportComputeTargetHttpsProxies",
"cloudasset.assets.exportComputeTargetInstances",
"cloudasset.assets.exportComputeTargetPools",
"cloudasset.assets.exportComputeTargetSslProxies",
"cloudasset.assets.exportComputeTargetTcpProxies",
"cloudasset.assets.exportComputeTargetVpnGateways",
"cloudasset.assets.exportComputeUrlMaps",
"cloudasset.assets.exportComputeVpnTunnels",
"cloudasset.assets.exportContainerClusterrole",
"cloudasset.assets.exportContainerClusterrolebinding",
"cloudasset.assets.exportContainerClusters",
"cloudasset.assets.exportContainerNamespace",
"cloudasset.assets.exportContainerNode",
"cloudasset.assets.exportContainerNodepool",
"cloudasset.assets.exportContainerPod",
"cloudasset.assets.exportContainerRole",
"cloudasset.assets.exportContainerRolebinding",
"cloudasset.assets.exportContainerregistryImage",
"cloudasset.assets.exportDatafusionInstance",
"cloudasset.assets.exportDataprocClusters",
"cloudasset.assets.exportDataprocJobs",
"cloudasset.assets.exportDnsManagedZones",
"cloudasset.assets.exportDnsPolicies",
"cloudasset.assets.exportIamPolicy",
"cloudasset.assets.exportIamRoles",
"cloudasset.assets.exportIamServiceAccountKeys",
"cloudasset.assets.exportIamServiceAccounts",
"cloudasset.assets.exportManagedidentitiesDomain",
"cloudasset.assets.exportOrgPolicy",
"cloudasset.assets.exportPubsubSubscriptions",
"cloudasset.assets.exportPubsubTopics",
"cloudasset.assets.exportResource",
"cloudasset.assets.exportServicePerimeter",
"cloudasset.assets.exportServicemanagementServices",
"cloudasset.assets.exportSpannerDatabases",
"cloudasset.assets.exportSpannerInstances",
"cloudasset.assets.exportSqladminInstances",
"cloudasset.assets.exportStorageBuckets",
"cloudasset.assets.searchAllIamPolicies",
"cloudasset.assets.searchAllResources",
"cloudasset.feeds.list",
"cloudbuild.builds.list",
"clouddebugger.breakpoints.list",
Expand Down Expand Up @@ -666,8 +760,6 @@
"iap.webServiceVersions.getIamPolicy",
"iap.webServices.getIamPolicy",
"iap.webTypes.getIamPolicy",
"identityplatform.workloadPoolProviders.list",
"identityplatform.workloadPools.list",
"lifesciences.operations.list",
"logging.buckets.list",
"logging.exclusions.list",
Expand All @@ -678,6 +770,7 @@
"logging.logServices.list",
"logging.logs.list",
"logging.notificationRules.list",
"logging.operations.list",
"logging.privateLogEntries.list",
"logging.queries.list",
"logging.sinks.list",
Expand Down Expand Up @@ -717,6 +810,12 @@
"monitoring.slos.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.list",
"networkconnectivity.hubs.getIamPolicy",
"networkconnectivity.hubs.list",
"networkconnectivity.locations.list",
"networkconnectivity.operations.list",
"networkconnectivity.spokes.getIamPolicy",
"networkconnectivity.spokes.list",
"networkmanagement.connectivitytests.getIamPolicy",
"networkmanagement.connectivitytests.list",
"networkmanagement.locations.list",
Expand Down Expand Up @@ -745,19 +844,29 @@
"notebooks.instances.list",
"notebooks.locations.list",
"notebooks.operations.list",
"notebooks.runtimes.getIamPolicy",
"notebooks.runtimes.list",
"notebooks.schedules.getIamPolicy",
"notebooks.schedules.list",
"ondemandscanning.operations.list",
"opsconfigmonitoring.resourceMetadata.list",
"osconfig.guestPolicies.list",
"osconfig.instanceOSPoliciesCompliances.list",
"osconfig.inventories.list",
"osconfig.osPolicyAssignments.list",
"osconfig.patchDeployments.list",
"osconfig.patchJobs.list",
"osconfig.vulnerabilityReports.list",
"policysimulator.replayResults.list",
"policysimulator.replays.list",
"privateca.caPools.getIamPolicy",
"privateca.caPools.list",
"privateca.certificateAuthorities.getIamPolicy",
"privateca.certificateAuthorities.list",
"privateca.certificateRevocationLists.getIamPolicy",
"privateca.certificateRevocationLists.list",
"privateca.certificateTemplates.getIamPolicy",
"privateca.certificateTemplates.list",
"privateca.certificates.getIamPolicy",
"privateca.certificates.list",
"privateca.locations.list",
Expand All @@ -780,6 +889,10 @@
"pubsublite.subscriptions.list",
"pubsublite.topics.list",
"recaptchaenterprise.keys.list",
"recommender.cloudAssetInsights.get",
"recommender.cloudAssetInsights.list",
"recommender.cloudsqlInstanceDiskUsageTrendInsights.list",
"recommender.cloudsqlInstanceOutOfDiskRecommendations.list",
"recommender.commitmentUtilizationInsights.list",
"recommender.computeAddressIdleResourceInsights.list",
"recommender.computeAddressIdleResourceRecommendations.list",
Expand All @@ -794,6 +907,7 @@
"recommender.iamPolicyInsights.list",
"recommender.iamPolicyRecommendations.list",
"recommender.iamServiceAccountInsights.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.loggingProductSuggestionContainerInsights.list",
"recommender.loggingProductSuggestionContainerRecommendations.list",
Expand All @@ -805,14 +919,15 @@
"redis.operations.list",
"remotebuildexecution.instances.list",
"remotebuildexecution.workerpools.list",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.hierarchyNodes.listTagBindings",
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.resourceTagBindings.list",
"resourcemanager.tagKeys.getIamPolicy",
"resourcemanager.tagKeys.list",
"resourcemanager.tagValues.getIamPolicy",
Expand Down Expand Up @@ -884,6 +999,7 @@
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.hmacKeys.list",
"storage.multipartUploads.list",
"storage.objects.getIamPolicy",
"storage.objects.list",
"storagetransfer.jobs.list",
Expand All @@ -895,7 +1011,18 @@
"tpu.tensorflowversions.list",
"transcoder.jobTemplates.list",
"transcoder.jobs.list",
"translationhub.portals.list",
"vmmigration.cloneJobs.list",
"vmmigration.cutoverJobs.list",
"vmmigration.datacenterConnectors.list",
"vmmigration.deployments.list",
"vmmigration.groups.list",
"vmmigration.locations.list",
"vmmigration.migratingVms.list",
"vmmigration.operations.list",
"vmmigration.sources.list",
"vmmigration.targets.list",
"vmmigration.utilizationReports.list",
"vpcaccess.connectors.list",
"vpcaccess.locations.list",
"vpcaccess.operations.list",
Expand Down
19 changes: 18 additions & 1 deletion audit/org_kubernetes.io/roles/organization.admin.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,22 @@
{
"description": "Access to administer all resources belonging to the organization",
"includedPermissions": [
"billing.accounts.create",
"billing.accounts.get",
"billing.accounts.getIamPolicy",
"billing.accounts.getSpendingInformation",
"billing.accounts.getUsageExportSpec",
"billing.accounts.list",
"billing.accounts.redeemPromotion",
"billing.accounts.updateUsageExportSpec",
"billing.budgets.create",
"billing.budgets.delete",
"billing.budgets.get",
"billing.budgets.list",
"billing.budgets.update",
"billing.credits.list",
"billing.resourceAssociations.create",
"billing.resourceAssociations.list",
"orgpolicy.policy.get",
"resourcemanager.folders.create",
"resourcemanager.folders.delete",
Expand All @@ -25,7 +35,14 @@
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.move",
"resourcemanager.projects.setIamPolicy"
"resourcemanager.projects.setIamPolicy",
"storage.buckets.create",
"storage.buckets.delete",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.setIamPolicy",
"storage.buckets.update"
],
"name": "organizations/758905017065/roles/organization.admin",
"stage": "GA",
Expand Down
3 changes: 1 addition & 2 deletions audit/projects/kubernetes-public/buckets/k8s-infra-clusters-terraform/iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
"bindings": [
{
"members": [
"group:[email protected]",
"user:[email protected]"
"group:[email protected]"
],
"role": "roles/storage.admin"
},
Expand Down
4 changes: 4 additions & 0 deletions audit/projects/kubernetes-public/iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,10 @@
},
{
"members": [
"group:[email protected]",
"group:[email protected]",
"group:[email protected]",
"group:[email protected]",
"serviceAccount:[email protected]"
],
"role": "roles/viewer"
Expand Down

0 comments on commit 2c894d8

Please sign in to comment.