-
Notifications
You must be signed in to change notification settings - Fork 828
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1679 from spiffxp/ensure-organization
Add ensure-organization.sh, give prow-oncall org browse access
- Loading branch information
Showing
3 changed files
with
100 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| #!/usr/bin/env bash | ||
| # | ||
| # Copyright 2019 The Kubernetes Authors. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| # This script creates & configures the project that governs access to GSuite | ||
| # APIs. | ||
|
|
||
| set -o errexit | ||
| set -o nounset | ||
| set -o pipefail | ||
|
|
||
| SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") | ||
| . "${SCRIPT_DIR}/lib.sh" | ||
|
|
||
| function usage() { | ||
| echo "usage: $0" > /dev/stderr | ||
| echo > /dev/stderr | ||
| } | ||
|
|
||
| if [ $# != 0 ]; then | ||
| usage | ||
| exit 1 | ||
| fi | ||
|
|
||
| # TODO: setup custom role StorageBucketLister, I don't see that defined in code | ||
| # TODO: setup custom role CustomRole ("Billing Viewer"), I don't see that defined in code | ||
|
|
||
| ## setup custom role for prow troubleshooting | ||
| color 6 "Ensuring custom org role prow.viewer role exists" | ||
| ( | ||
| ensure_custom_org_role_from_file "prow.viewer" "${SCRIPT_DIR}/roles/prow.viewer.yaml" | ||
| ) 2>&1 | indent | ||
|
|
||
| color 6 "Ensuring org-level IAM bindings exist" | ||
| ( | ||
| # [email protected] should be able to browse org resources | ||
| ensure_org_role_binding "group:[email protected]" "roles/browser" | ||
|
|
||
| # TODO: this already exists, but seems overprivileged for a group that is about | ||
| # access to the "aaa" cluster in "kubernetes-public" | ||
| ensure_org_role_binding "group:[email protected]" "roles/browser" | ||
|
|
||
| # k8s-infra-gcp-accounting@ | ||
| # TODO: CustomRole is a brittle name, we should create a better named role, | ||
| # or is there a reason we're not using predefined roles/billing.viewer? | ||
| ensure_org_role_binding "group:[email protected]" "$(custom_org_role_name "CustomRole")" | ||
|
|
||
| # k8s-infra-gcp-auditors@ | ||
| # TODO: this is what already exists, but it might be better to collapse this | ||
| # into a custom role, or use browser+viewer | ||
| audit_roles=( | ||
| $(custom_org_role_name "StorageBucketLister") | ||
| roles/compute.viewer | ||
| roles/dns.reader | ||
| roles/iam.securityReviewer | ||
| roles/resourcemanager.organizationViewer | ||
| roles/serviceusage.serviceUsageConsumer | ||
| ) | ||
| for role in "${audit_roles[@]}"; do | ||
| ensure_org_role_binding "group:[email protected]" "${role}" | ||
| done | ||
|
|
||
| # k8s-infra-org-admins@ | ||
| # TODO: there are more granular roles also bound, they seem redundant given | ||
| # this role | ||
| ensure_org_role_binding "group:[email protected]" "roles/owner" | ||
| ) 2>&1 | indent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -32,12 +32,6 @@ function usage() { | |
| echo > /dev/stderr | ||
| } | ||
|
|
||
| ## setup custom role for prow troubleshooting | ||
| color 6 "Ensuring custom org role prow.viewer role exists" | ||
| ( | ||
| ensure_custom_org_role_from_file "prow.viewer" "${SCRIPT_DIR}/roles/prow.viewer.yaml" | ||
| ) 2>&1 | indent | ||
|
|
||
| ## setup service accounts and ips for the prow build cluster | ||
|
|
||
| PROW_BUILD_SVCACCT=$(svc_acct_email "k8s-infra-prow-build" "prow-build") | ||
|
|
@@ -148,6 +142,7 @@ for prj; do | |
| --member "group:[email protected]" \ | ||
| --role roles/owner | ||
|
|
||
| # NB: prow.viewer role is defined in ensure-organization.sh, that needs to have been run first | ||
| color 6 "Empower [email protected] to view e2e project: ${prj}" | ||
| gcloud \ | ||
| projects add-iam-policy-binding "${prj}" \ | ||
|
|
||