diff --git a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml index 3c388d1907e..d798d9e54ff 100644 --- a/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml +++ b/infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/prow-build-trusted/resources/build-serviceaccounts.yaml @@ -63,11 +63,3 @@ metadata: iam.gke.io/gcp-service-account: k8s-infra-gcr-promoter@k8s-artifacts-prod-bak.iam.gserviceaccount.com name: k8s-infra-gcr-promoter-bak namespace: test-pods ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - iam.gke.io/gcp-service-account: k8s-infra-gcr-vuln-dashboard@k8s-artifacts-prod.iam.gserviceaccount.com - name: k8s-infra-gcr-vuln-dashboard - namespace: test-pods diff --git a/infra/gcp/ensure-prod-storage.sh b/infra/gcp/ensure-prod-storage.sh index fcb2824da5f..f7e3b5af39c 100755 --- a/infra/gcp/ensure-prod-storage.sh +++ b/infra/gcp/ensure-prod-storage.sh @@ -372,44 +372,6 @@ color 6 "Handling special cases" "${PROD_PROJECT}" \ $(svc_acct_email "${PROD_PROJECT}" "${PROMOTER_VULN_SCANNING_SVCACCT}") done - - color 6 "Ensuring prod promoter vuln-dashboard svcacct exists" - ensure_service_account \ - "${PROD_PROJECT}" \ - "${VULN_DASHBOARD_SVCACCT}" \ - "k8s-infra container image vuln dashboard" - - color 6 "Empowering promoter-scanning namespace to use prod promoter vuln-dashboard svcacct" - for project in "${PROW_TRUSTED_BUILD_CLUSTER_PROJECTS[@]}"; do - empower_ksa_to_svcacct \ - "${project}.svc.id.goog[test-pods/k8s-infra-gcr-vuln-dashboard]" \ - "${PROD_PROJECT}" \ - $(svc_acct_email "${PROD_PROJECT}" "${VULN_DASHBOARD_SVCACCT}") - done - - # Special case: grant the k8s-infra-gcr-vuln-dashboard account access to - # write to the prod vuln dashboard GCS bucket. - ensure_prod_gcs_bucket "${PROD_PROJECT}" "gs://${PROD_PROJECT}-vuln-dashboard" 2>&1 | indent - - color 6 "Empowering vuln-dashboard svcacct to vuln-dashboard bucket" - empower_svcacct_to_write_gcs_bucket \ - "$(svc_acct_email "${PROD_PROJECT}" "${VULN_DASHBOARD_SVCACCT}")" \ - "gs://${PROD_PROJECT}-vuln-dashboard" - - # Special case: grant the k8s-infra-gcr-vuln-dashboard account access to - # container analysis results for the prod project. - color 6 "Empowering vuln-dashboard svcacct to prod vulnerability scanning" - empower_service_account_for_cip_vuln_scanning \ - "$(svc_acct_email "${PROD_PROJECT}" "${VULN_DASHBOARD_SVCACCT}")" \ - "${PROD_PROJECT}" - - # Special case: don't use retention on vulnerability dashboard bucket - # 'ci-release-vulndash-update' runs periodically in Prow and - # requires access to overwrite the dashboard's html. - # This should maybe one day be wired up as a Netlify site, but - # one step at a time! - color 6 "Removing retention on the ${PROD_PROJECT}-vuln-dashboard bucket" - gsutil retention clear "gs://${PROD_PROJECT}-vuln-dashboard" ) 2>&1 | indent color 6 "Done" diff --git a/infra/gcp/lib.sh b/infra/gcp/lib.sh index dbe7e3f28fd..c7fde88b477 100755 --- a/infra/gcp/lib.sh +++ b/infra/gcp/lib.sh @@ -33,9 +33,6 @@ PROMOTER_SVCACCT="k8s-infra-gcr-promoter" # The service account name for the image promoter's vulnerability check. PROMOTER_VULN_SCANNING_SVCACCT="k8s-infra-gcr-vuln-scanning" -# The service account name for the k8s vulnerability dashboard. -VULN_DASHBOARD_SVCACCT="k8s-infra-gcr-vuln-dashboard" - # The service account name for the GCR auditor (Cloud Run runtime service # account). AUDITOR_SVCACCT="k8s-infra-gcr-auditor"