Merge pull request #2678 from ameukam/kops-bucket-ci

infra/gcp: Add bucket for kOps
kubernetes · Sep 9, 2021 · 2d2e6bc · 2d2e6bc
2 parents a0516bb + 9acdbf1
commit 2d2e6bc
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 0 deletions.
diff --git a/groups/restrictions.yaml b/groups/restrictions.yaml
@@ -77,6 +77,7 @@ restrictions:
     allowedGroups:
       - "^[email protected]$"
       - "^[email protected]$"
+      - "^[email protected]$"
       - "^[email protected]$"
       - "^[email protected]$"
       - "^[email protected]$"

diff --git a/groups/sig-cluster-lifecycle/groups.yaml b/groups/sig-cluster-lifecycle/groups.yaml
@@ -7,6 +7,15 @@ groups:
   # and is not intended to govern access to infrastructure
   #
 
+  - email-id: [email protected]
+    name: k8s-infra-kops-maintainers
+    description: |
+      ACL for kOps maintainers
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - [email protected]
+
   - email-id: [email protected]
     name: sig-cluster-lifecycle-cluster-api-alerts
     description: |-

diff --git a/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf b/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf
@@ -19,6 +19,7 @@ This file defines all GCS buckets that prow jobs write to
 */
 
 locals {
+  kops_ci_bucket_name                   = "k8s-infra-kops-ci-results"        // Name of the bucket for kops ci jobs results (version markers, binaries, etc...)
   scalability_tests_logs_bucket_name    = "k8s-infra-scalability-tests-logs" // Name of the bucket for the scalability test results
   scalability_golang_builds_bucket_name = "k8s-infra-scale-golang-builds"    // Name of the bucket for the scalability golang builds
 }
@@ -137,3 +138,56 @@ resource "google_storage_bucket_iam_policy" "scalability_golang_builds_policy" {
   bucket      = google_storage_bucket.scalability_golang_builds.name
   policy_data = data.google_iam_policy.scalability_golang_builds_bindings.policy_data
 }
+
+// Bucket for kops CI jobs results
+resource "google_storage_bucket" "kops_ci_bucket" {
+  project = data.google_project.project.project_id
+  name    = local.kops_ci_bucket_name
+
+  uniform_bucket_level_access = true
+}
+
+data "google_iam_policy" "kops_ci_bucket_bindings" {
+  // Ensure k8s-infra-kops-maintainers has admin privileges
+  binding {
+    members = [
+      "group:[email protected]",
+    ]
+    role = "roles/storage.admin"
+  }
+  // Maintain legacy admins privilegies
+  binding {
+    members = [
+      "group:[email protected]",
+      "projectEditor:${data.google_project.project.project_id}",
+      "projectOwner:${data.google_project.project.project_id}",
+    ]
+    role = "roles/storage.legacyBucketOwner"
+  }
+  binding {
+    members = [
+      "projectViewer:${data.google_project.project.project_id}",
+    ]
+    role = "roles/storage.legacyBucketReader"
+  }
+  // Ensure prow-build serviceaccount can write to bucket
+  binding {
+    role = "roles/storage.objectAdmin"
+    members = [
+      "serviceAccount:[email protected]",
+    ]
+  }
+  // Ensure bucket is world readable
+  binding {
+    role = "roles/storage.objectViewer"
+    members = [
+      "allUsers"
+    ]
+  }
+}
+
+// Authoritative iam-policy: replaces any existing policy attached to the bucket
+resource "google_storage_bucket_iam_policy" "kops_ci_bucket_bindings" {
+  bucket      = google_storage_bucket.kops_ci_bucket.name
+  policy_data = data.google_iam_policy.kops_ci_bucket_bindings.policy_data
+}