audit: update as of 2021-07-11

kubernetes · Jul 11, 2021 · 9cce6f5 · 9cce6f5
1 parent 43ee393
commit 9cce6f5
Show file tree

Hide file tree

Showing 17 changed files with 313 additions and 12 deletions.
diff --git a/audit/projects/k8s-artifacts-prod/services/logging/logs.json b/audit/projects/k8s-artifacts-prod/services/logging/logs.json
@@ -1,6 +1,5 @@
 [
   "projects/k8s-artifacts-prod/logs/cip-audit-log",
-  "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event",
   "projects/k8s-artifacts-prod/logs/requests",
   "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests",

diff --git a/audit/projects/k8s-cip-test-prod/services/logging/logs.json b/audit/projects/k8s-cip-test-prod/services/logging/logs.json
@@ -1,4 +1,3 @@
 [
-  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"
 ]
diff --git a/audit/projects/k8s-infra-project-jedha/description.json b/audit/projects/k8s-infra-project-jedha/description.json
@@ -0,0 +1,11 @@
+{
+  "createTime": "2021-07-10T12:35:00.145Z",
+  "lifecycleState": "ACTIVE",
+  "name": "k8s-infra-project-jedha",
+  "parent": {
+    "id": "758905017065",
+    "type": "organization"
+  },
+  "projectId": "k8s-infra-project-jedha",
+  "projectNumber": "1088262075988"
+}
diff --git a/audit/projects/k8s-infra-project-jedha/iam.json b/audit/projects/k8s-infra-project-jedha/iam.json
@@ -0,0 +1,48 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/compute.serviceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:service-1088262075988@container-engine-robot.iam.gserviceaccount.com"
+      ],
+      "role": "roles/container.serviceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/containerregistry.ServiceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:[email protected]",
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/editor"
+    },
+    {
+      "members": [
+        "user:[email protected]"
+      ],
+      "role": "roles/owner"
+    },
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/pubsub.serviceAgent"
+    },
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/redis.serviceAgent"
+    }
+  ],
+  "version": 1
+}
diff --git a/...dha/service-accounts/[email protected]/description.json b/...dha/service-accounts/[email protected]/description.json
@@ -0,0 +1,9 @@
+{
+  "disabled": true,
+  "displayName": "Compute Engine default service account",
+  "email": "[email protected]",
+  "name": "projects/k8s-infra-project-jedha/serviceAccounts/[email protected]",
+  "oauth2ClientId": "106911913404991129722",
+  "projectId": "k8s-infra-project-jedha",
+  "uniqueId": "106911913404991129722"
+}
diff --git a/...oject-jedha/service-accounts/[email protected]/iam.json b/...oject-jedha/service-accounts/[email protected]/iam.json
@@ -0,0 +1 @@
+{}
diff --git a/audit/projects/k8s-infra-project-jedha/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-project-jedha/services/bigquery/bigquery.datasets.json
diff --git a/audit/projects/k8s-infra-project-jedha/services/compute/project-info.json b/audit/projects/k8s-infra-project-jedha/services/compute/project-info.json
@@ -0,0 +1,171 @@
+{
+  "commonInstanceMetadata": {
+    "kind": "compute#metadata"
+  },
+  "creationTimestamp": "2021-07-10T05:35:31.563-07:00",
+  "defaultNetworkTier": "PREMIUM",
+  "defaultServiceAccount": "[email protected]",
+  "id": "1841451747995036412",
+  "kind": "compute#project",
+  "name": "k8s-infra-project-jedha",
+  "quotas": [
+    {
+      "limit": 10000,
+      "metric": "SNAPSHOTS"
+    },
+    {
+      "limit": 30,
+      "metric": "NETWORKS"
+    },
+    {
+      "limit": 500,
+      "metric": "FIREWALLS"
+    },
+    {
+      "limit": 5000,
+      "metric": "IMAGES"
+    },
+    {
+      "limit": 175,
+      "metric": "STATIC_ADDRESSES"
+    },
+    {
+      "limit": 300,
+      "metric": "ROUTES"
+    },
+    {
+      "limit": 150,
+      "metric": "FORWARDING_RULES"
+    },
+    {
+      "limit": 500,
+      "metric": "TARGET_POOLS"
+    },
+    {
+      "limit": 500,
+      "metric": "HEALTH_CHECKS"
+    },
+    {
+      "limit": 575,
+      "metric": "IN_USE_ADDRESSES"
+    },
+    {
+      "limit": 500,
+      "metric": "TARGET_INSTANCES"
+    },
+    {
+      "limit": 100,
+      "metric": "TARGET_HTTP_PROXIES"
+    },
+    {
+      "limit": 100,
+      "metric": "URL_MAPS"
+    },
+    {
+      "limit": 30,
+      "metric": "BACKEND_SERVICES"
+    },
+    {
+      "limit": 1000,
+      "metric": "INSTANCE_TEMPLATES"
+    },
+    {
+      "limit": 50,
+      "metric": "TARGET_VPN_GATEWAYS"
+    },
+    {
+      "limit": 100,
+      "metric": "VPN_TUNNELS"
+    },
+    {
+      "limit": 30,
+      "metric": "BACKEND_BUCKETS"
+    },
+    {
+      "limit": 20,
+      "metric": "ROUTERS"
+    },
+    {
+      "limit": 100,
+      "metric": "TARGET_SSL_PROXIES"
+    },
+    {
+      "limit": 100,
+      "metric": "TARGET_HTTPS_PROXIES"
+    },
+    {
+      "limit": 100,
+      "metric": "SSL_CERTIFICATES"
+    },
+    {
+      "limit": 275,
+      "metric": "SUBNETWORKS"
+    },
+    {
+      "limit": 100,
+      "metric": "TARGET_TCP_PROXIES"
+    },
+    {
+      "limit": 10,
+      "metric": "SECURITY_POLICIES"
+    },
+    {
+      "limit": 200,
+      "metric": "SECURITY_POLICY_RULES"
+    },
+    {
+      "limit": 1000,
+      "metric": "XPN_SERVICE_PROJECTS"
+    },
+    {
+      "limit": 150,
+      "metric": "PACKET_MIRRORINGS"
+    },
+    {
+      "limit": 1000,
+      "metric": "NETWORK_ENDPOINT_GROUPS"
+    },
+    {
+      "limit": 6,
+      "metric": "INTERCONNECTS"
+    },
+    {
+      "limit": 5000,
+      "metric": "GLOBAL_INTERNAL_ADDRESSES"
+    },
+    {
+      "limit": 50,
+      "metric": "VPN_GATEWAYS"
+    },
+    {
+      "limit": 5000,
+      "metric": "MACHINE_IMAGES"
+    },
+    {
+      "limit": 20,
+      "metric": "SECURITY_POLICY_CEVAL_RULES"
+    },
+    {
+      "limit": 50,
+      "metric": "EXTERNAL_VPN_GATEWAYS"
+    },
+    {
+      "limit": 1,
+      "metric": "PUBLIC_ADVERTISED_PREFIXES"
+    },
+    {
+      "limit": 10,
+      "metric": "PUBLIC_DELEGATED_PREFIXES"
+    },
+    {
+      "limit": 1024,
+      "metric": "STATIC_BYOIP_ADDRESSES"
+    },
+    {
+      "limit": 150,
+      "metric": "INTERNAL_TRAFFIC_DIRECTOR_FORWARDING_RULES"
+    }
+  ],
+  "selfLink": "https://www.googleapis.com/compute/v1/projects/k8s-infra-project-jedha",
+  "xpnProjectStatus": "UNSPECIFIED_XPN_PROJECT_STATUS"
+}
diff --git a/audit/projects/k8s-infra-project-jedha/services/enabled.txt b/audit/projects/k8s-infra-project-jedha/services/enabled.txt
@@ -0,0 +1,21 @@
+NAME                                 TITLE
+bigquery.googleapis.com              BigQuery API
+bigquerystorage.googleapis.com       BigQuery Storage API
+cloudkms.googleapis.com              Cloud Key Management Service (KMS) API
+cloudresourcemanager.googleapis.com  Cloud Resource Manager API
+cloudtrace.googleapis.com            Cloud Trace API
+compute.googleapis.com               Compute Engine API
+container.googleapis.com             Kubernetes Engine API
+containerregistry.googleapis.com     Container Registry API
+deploymentmanager.googleapis.com     Cloud Deployment Manager V2 API
+iam.googleapis.com                   Identity and Access Management (IAM) API
+iamcredentials.googleapis.com        IAM Service Account Credentials API
+logging.googleapis.com               Cloud Logging API
+monitoring.googleapis.com            Cloud Monitoring API
+oslogin.googleapis.com               Cloud OS Login API
+pubsub.googleapis.com                Cloud Pub/Sub API
+redis.googleapis.com                 Google Cloud Memorystore for Redis API
+serviceusage.googleapis.com          Service Usage API
+storage-api.googleapis.com           Google Cloud Storage JSON API
+storage-component.googleapis.com     Cloud Storage
+trafficdirector.googleapis.com       Traffic Director API
diff --git a/audit/projects/k8s-infra-project-jedha/services/logging/logs.json b/audit/projects/k8s-infra-project-jedha/services/logging/logs.json
@@ -0,0 +1,21 @@
+[
+  "projects/k8s-infra-project-jedha/logs/cloudaudit.googleapis.com%2Factivity",
+  "projects/k8s-infra-project-jedha/logs/cloudaudit.googleapis.com%2Fsystem_event",
+  "projects/k8s-infra-project-jedha/logs/clouderrorreporting.googleapis.com%2Finsights",
+  "projects/k8s-infra-project-jedha/logs/compute.googleapis.com%2Fshielded_vm_integrity",
+  "projects/k8s-infra-project-jedha/logs/compute.googleapis.com%2Fvpc_flows",
+  "projects/k8s-infra-project-jedha/logs/container-runtime",
+  "projects/k8s-infra-project-jedha/logs/container.googleapis.com%2Fcluster-autoscaler-visibility",
+  "projects/k8s-infra-project-jedha/logs/events",
+  "projects/k8s-infra-project-jedha/logs/kube-logrotate",
+  "projects/k8s-infra-project-jedha/logs/kube-proxy",
+  "projects/k8s-infra-project-jedha/logs/kubelet",
+  "projects/k8s-infra-project-jedha/logs/node-problem-detector",
+  "projects/k8s-infra-project-jedha/logs/redis.googleapis.com%2Fredis",
+  "projects/k8s-infra-project-jedha/logs/requests",
+  "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_1_output",
+  "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_2_output",
+  "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_debug_output",
+  "projects/k8s-infra-project-jedha/logs/stderr",
+  "projects/k8s-infra-project-jedha/logs/stdout"
+]
diff --git a/audit/projects/k8s-infra-project-jedha/services/logging/sinks.json b/audit/projects/k8s-infra-project-jedha/services/logging/sinks.json
@@ -0,0 +1,12 @@
+[
+  {
+    "destination": "logging.googleapis.com/projects/k8s-infra-project-jedha/locations/global/buckets/_Required",
+    "filter": "LOG_ID(\"cloudaudit.googleapis.com/activity\") OR LOG_ID(\"externalaudit.googleapis.com/activity\") OR LOG_ID(\"cloudaudit.googleapis.com/system_event\") OR LOG_ID(\"externalaudit.googleapis.com/system_event\") OR LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") OR LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
+    "name": "_Required"
+  },
+  {
+    "destination": "logging.googleapis.com/projects/k8s-infra-project-jedha/locations/global/buckets/_Default",
+    "filter": "NOT LOG_ID(\"cloudaudit.googleapis.com/activity\") AND NOT LOG_ID(\"externalaudit.googleapis.com/activity\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"externalaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") AND NOT LOG_ID(\"externalaudit.googleapis.com/access_transparency\")",
+    "name": "_Default"
+  }
+]
diff --git a/audit/projects/k8s-release/buckets/k8s-release/iam.json b/audit/projects/k8s-release/buckets/k8s-release/iam.json
@@ -10,7 +10,8 @@
     },
     {
       "members": [
-        "projectViewer:k8s-release"
+        "projectViewer:k8s-release",
+        "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketReader"
     },
@@ -25,7 +26,8 @@
       "members": [
         "group:[email protected]",
         "group:[email protected]",
-        "group:[email protected]"
+        "group:[email protected]",
+        "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
     },

diff --git a/audit/projects/k8s-release/buckets/k8s-release/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release/metadata.txt
@@ -11,8 +11,8 @@ gs://k8s-release/ :
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Fri, 07 Aug 2020 20:50:17 GMT
-	Time updated:			Fri, 07 Aug 2020 20:50:37 GMT
-	Metageneration:			9
+	Time updated:			Fri, 09 Jul 2021 20:06:14 GMT
+	Metageneration:			10
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/iam.json b/audit/projects/k8s-release/iam.json
@@ -50,6 +50,12 @@
       ],
       "role": "roles/editor"
     },
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/pubsub.editor"
+    },
     {
       "members": [
         "group:[email protected]",

diff --git a/audit/projects/k8s-release/services/logging/logs.json b/audit/projects/k8s-release/services/logging/logs.json
@@ -1 +1,3 @@
-[]
+[
+  "projects/k8s-release/logs/cloudaudit.googleapis.com%2Factivity"
+]
diff --git a/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json b/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json
@@ -2,6 +2,5 @@
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fdata_access",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fsystem_event",
-  "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild",
-  "projects/k8s-staging-cluster-api-gcp/logs/compute.googleapis.com%2Fshielded_vm_integrity"
+  "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild"
 ]
diff --git a/audit/projects/kubernetes-public/services/container/clusters/aaa.json b/audit/projects/kubernetes-public/services/container/clusters/aaa.json
@@ -37,7 +37,7 @@
   "clusterIpv4Cidr": "10.40.0.0/14",
   "createTime": "2019-09-18T23:39:24+00:00",
   "currentMasterVersion": "1.19.9-gke.1900",
-  "currentNodeVersion": "1.18.17-gke.1901 *",
+  "currentNodeVersion": "1.19.9-gke.1900",
   "databaseEncryption": {
     "state": "DECRYPTED"
   },
@@ -168,7 +168,7 @@
       "upgradeSettings": {
         "maxSurge": 1
       },
-      "version": "1.18.17-gke.1901"
+      "version": "1.19.9-gke.1900"
     },
     {
       "autoscaling": {
@@ -219,7 +219,7 @@
       "upgradeSettings": {
         "maxSurge": 1
       },
-      "version": "1.18.17-gke.1901"
+      "version": "1.19.9-gke.1900"
     }
   ],
   "releaseChannel": {