From 9cce6f56167b7bc57c930af5ec88c0bc78962317 Mon Sep 17 00:00:00 2001 From: CNCF CI Bot Date: Sun, 11 Jul 2021 20:35:49 +0000 Subject: [PATCH] audit: update as of 2021-07-11 --- .../services/logging/logs.json | 1 - .../services/logging/logs.json | 1 - .../k8s-infra-project-jedha/description.json | 11 ++ .../projects/k8s-infra-project-jedha/iam.json | 48 +++++ .../description.json | 9 + .../iam.json | 1 + .../services/bigquery/bigquery.datasets.json | 0 .../services/compute/project-info.json | 171 ++++++++++++++++++ .../services/enabled.txt | 21 +++ .../services/logging/logs.json | 21 +++ .../services/logging/sinks.json | 12 ++ .../k8s-release/buckets/k8s-release/iam.json | 6 +- .../buckets/k8s-release/metadata.txt | 4 +- audit/projects/k8s-release/iam.json | 6 + .../k8s-release/services/logging/logs.json | 4 +- .../services/logging/logs.json | 3 +- .../services/container/clusters/aaa.json | 6 +- 17 files changed, 313 insertions(+), 12 deletions(-) create mode 100644 audit/projects/k8s-infra-project-jedha/description.json create mode 100644 audit/projects/k8s-infra-project-jedha/iam.json create mode 100644 audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/description.json create mode 100644 audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/iam.json create mode 100644 audit/projects/k8s-infra-project-jedha/services/bigquery/bigquery.datasets.json create mode 100644 audit/projects/k8s-infra-project-jedha/services/compute/project-info.json create mode 100644 audit/projects/k8s-infra-project-jedha/services/enabled.txt create mode 100644 audit/projects/k8s-infra-project-jedha/services/logging/logs.json create mode 100644 audit/projects/k8s-infra-project-jedha/services/logging/sinks.json diff --git a/audit/projects/k8s-artifacts-prod/services/logging/logs.json b/audit/projects/k8s-artifacts-prod/services/logging/logs.json index 66786c120769..b2f323a69596 100644 --- a/audit/projects/k8s-artifacts-prod/services/logging/logs.json +++ b/audit/projects/k8s-artifacts-prod/services/logging/logs.json @@ -1,6 +1,5 @@ [ "projects/k8s-artifacts-prod/logs/cip-audit-log", - "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event", "projects/k8s-artifacts-prod/logs/requests", "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests", diff --git a/audit/projects/k8s-cip-test-prod/services/logging/logs.json b/audit/projects/k8s-cip-test-prod/services/logging/logs.json index a20d3d66efce..d67ffd5d4f57 100644 --- a/audit/projects/k8s-cip-test-prod/services/logging/logs.json +++ b/audit/projects/k8s-cip-test-prod/services/logging/logs.json @@ -1,4 +1,3 @@ [ - "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event" ] diff --git a/audit/projects/k8s-infra-project-jedha/description.json b/audit/projects/k8s-infra-project-jedha/description.json new file mode 100644 index 000000000000..ad7b578c423f --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/description.json @@ -0,0 +1,11 @@ +{ + "createTime": "2021-07-10T12:35:00.145Z", + "lifecycleState": "ACTIVE", + "name": "k8s-infra-project-jedha", + "parent": { + "id": "758905017065", + "type": "organization" + }, + "projectId": "k8s-infra-project-jedha", + "projectNumber": "1088262075988" +} diff --git a/audit/projects/k8s-infra-project-jedha/iam.json b/audit/projects/k8s-infra-project-jedha/iam.json new file mode 100644 index 000000000000..248171e9d883 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/iam.json @@ -0,0 +1,48 @@ +{ + "bindings": [ + { + "members": [ + "serviceAccount:service-1088262075988@compute-system.iam.gserviceaccount.com" + ], + "role": "roles/compute.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-1088262075988@container-engine-robot.iam.gserviceaccount.com" + ], + "role": "roles/container.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-1088262075988@containerregistry.iam.gserviceaccount.com" + ], + "role": "roles/containerregistry.ServiceAgent" + }, + { + "members": [ + "serviceAccount:1088262075988-compute@developer.gserviceaccount.com", + "serviceAccount:1088262075988@cloudservices.gserviceaccount.com" + ], + "role": "roles/editor" + }, + { + "members": [ + "user:ameukam@gmail.com" + ], + "role": "roles/owner" + }, + { + "members": [ + "serviceAccount:service-1088262075988@gcp-sa-pubsub.iam.gserviceaccount.com" + ], + "role": "roles/pubsub.serviceAgent" + }, + { + "members": [ + "serviceAccount:service-1088262075988@cloud-redis.iam.gserviceaccount.com" + ], + "role": "roles/redis.serviceAgent" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/description.json b/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/description.json new file mode 100644 index 000000000000..8aad136597f5 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/description.json @@ -0,0 +1,9 @@ +{ + "disabled": true, + "displayName": "Compute Engine default service account", + "email": "1088262075988-compute@developer.gserviceaccount.com", + "name": "projects/k8s-infra-project-jedha/serviceAccounts/1088262075988-compute@developer.gserviceaccount.com", + "oauth2ClientId": "106911913404991129722", + "projectId": "k8s-infra-project-jedha", + "uniqueId": "106911913404991129722" +} diff --git a/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/iam.json b/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/iam.json new file mode 100644 index 000000000000..0967ef424bce --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/service-accounts/1088262075988-compute@developer.gserviceaccount.com/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/k8s-infra-project-jedha/services/bigquery/bigquery.datasets.json b/audit/projects/k8s-infra-project-jedha/services/bigquery/bigquery.datasets.json new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/audit/projects/k8s-infra-project-jedha/services/compute/project-info.json b/audit/projects/k8s-infra-project-jedha/services/compute/project-info.json new file mode 100644 index 000000000000..39d61b6fa5c5 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/services/compute/project-info.json @@ -0,0 +1,171 @@ +{ + "commonInstanceMetadata": { + "kind": "compute#metadata" + }, + "creationTimestamp": "2021-07-10T05:35:31.563-07:00", + "defaultNetworkTier": "PREMIUM", + "defaultServiceAccount": "1088262075988-compute@developer.gserviceaccount.com", + "id": "1841451747995036412", + "kind": "compute#project", + "name": "k8s-infra-project-jedha", + "quotas": [ + { + "limit": 10000, + "metric": "SNAPSHOTS" + }, + { + "limit": 30, + "metric": "NETWORKS" + }, + { + "limit": 500, + "metric": "FIREWALLS" + }, + { + "limit": 5000, + "metric": "IMAGES" + }, + { + "limit": 175, + "metric": "STATIC_ADDRESSES" + }, + { + "limit": 300, + "metric": "ROUTES" + }, + { + "limit": 150, + "metric": "FORWARDING_RULES" + }, + { + "limit": 500, + "metric": "TARGET_POOLS" + }, + { + "limit": 500, + "metric": "HEALTH_CHECKS" + }, + { + "limit": 575, + "metric": "IN_USE_ADDRESSES" + }, + { + "limit": 500, + "metric": "TARGET_INSTANCES" + }, + { + "limit": 100, + "metric": "TARGET_HTTP_PROXIES" + }, + { + "limit": 100, + "metric": "URL_MAPS" + }, + { + "limit": 30, + "metric": "BACKEND_SERVICES" + }, + { + "limit": 1000, + "metric": "INSTANCE_TEMPLATES" + }, + { + "limit": 50, + "metric": "TARGET_VPN_GATEWAYS" + }, + { + "limit": 100, + "metric": "VPN_TUNNELS" + }, + { + "limit": 30, + "metric": "BACKEND_BUCKETS" + }, + { + "limit": 20, + "metric": "ROUTERS" + }, + { + "limit": 100, + "metric": "TARGET_SSL_PROXIES" + }, + { + "limit": 100, + "metric": "TARGET_HTTPS_PROXIES" + }, + { + "limit": 100, + "metric": "SSL_CERTIFICATES" + }, + { + "limit": 275, + "metric": "SUBNETWORKS" + }, + { + "limit": 100, + "metric": "TARGET_TCP_PROXIES" + }, + { + "limit": 10, + "metric": "SECURITY_POLICIES" + }, + { + "limit": 200, + "metric": "SECURITY_POLICY_RULES" + }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, + { + "limit": 150, + "metric": "PACKET_MIRRORINGS" + }, + { + "limit": 1000, + "metric": "NETWORK_ENDPOINT_GROUPS" + }, + { + "limit": 6, + "metric": "INTERCONNECTS" + }, + { + "limit": 5000, + "metric": "GLOBAL_INTERNAL_ADDRESSES" + }, + { + "limit": 50, + "metric": "VPN_GATEWAYS" + }, + { + "limit": 5000, + "metric": "MACHINE_IMAGES" + }, + { + "limit": 20, + "metric": "SECURITY_POLICY_CEVAL_RULES" + }, + { + "limit": 50, + "metric": "EXTERNAL_VPN_GATEWAYS" + }, + { + "limit": 1, + "metric": "PUBLIC_ADVERTISED_PREFIXES" + }, + { + "limit": 10, + "metric": "PUBLIC_DELEGATED_PREFIXES" + }, + { + "limit": 1024, + "metric": "STATIC_BYOIP_ADDRESSES" + }, + { + "limit": 150, + "metric": "INTERNAL_TRAFFIC_DIRECTOR_FORWARDING_RULES" + } + ], + "selfLink": "https://www.googleapis.com/compute/v1/projects/k8s-infra-project-jedha", + "xpnProjectStatus": "UNSPECIFIED_XPN_PROJECT_STATUS" +} diff --git a/audit/projects/k8s-infra-project-jedha/services/enabled.txt b/audit/projects/k8s-infra-project-jedha/services/enabled.txt new file mode 100644 index 000000000000..3f9beb73fa23 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/services/enabled.txt @@ -0,0 +1,21 @@ +NAME TITLE +bigquery.googleapis.com BigQuery API +bigquerystorage.googleapis.com BigQuery Storage API +cloudkms.googleapis.com Cloud Key Management Service (KMS) API +cloudresourcemanager.googleapis.com Cloud Resource Manager API +cloudtrace.googleapis.com Cloud Trace API +compute.googleapis.com Compute Engine API +container.googleapis.com Kubernetes Engine API +containerregistry.googleapis.com Container Registry API +deploymentmanager.googleapis.com Cloud Deployment Manager V2 API +iam.googleapis.com Identity and Access Management (IAM) API +iamcredentials.googleapis.com IAM Service Account Credentials API +logging.googleapis.com Cloud Logging API +monitoring.googleapis.com Cloud Monitoring API +oslogin.googleapis.com Cloud OS Login API +pubsub.googleapis.com Cloud Pub/Sub API +redis.googleapis.com Google Cloud Memorystore for Redis API +serviceusage.googleapis.com Service Usage API +storage-api.googleapis.com Google Cloud Storage JSON API +storage-component.googleapis.com Cloud Storage +trafficdirector.googleapis.com Traffic Director API diff --git a/audit/projects/k8s-infra-project-jedha/services/logging/logs.json b/audit/projects/k8s-infra-project-jedha/services/logging/logs.json new file mode 100644 index 000000000000..04998644c8d6 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/services/logging/logs.json @@ -0,0 +1,21 @@ +[ + "projects/k8s-infra-project-jedha/logs/cloudaudit.googleapis.com%2Factivity", + "projects/k8s-infra-project-jedha/logs/cloudaudit.googleapis.com%2Fsystem_event", + "projects/k8s-infra-project-jedha/logs/clouderrorreporting.googleapis.com%2Finsights", + "projects/k8s-infra-project-jedha/logs/compute.googleapis.com%2Fshielded_vm_integrity", + "projects/k8s-infra-project-jedha/logs/compute.googleapis.com%2Fvpc_flows", + "projects/k8s-infra-project-jedha/logs/container-runtime", + "projects/k8s-infra-project-jedha/logs/container.googleapis.com%2Fcluster-autoscaler-visibility", + "projects/k8s-infra-project-jedha/logs/events", + "projects/k8s-infra-project-jedha/logs/kube-logrotate", + "projects/k8s-infra-project-jedha/logs/kube-proxy", + "projects/k8s-infra-project-jedha/logs/kubelet", + "projects/k8s-infra-project-jedha/logs/node-problem-detector", + "projects/k8s-infra-project-jedha/logs/redis.googleapis.com%2Fredis", + "projects/k8s-infra-project-jedha/logs/requests", + "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_1_output", + "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_2_output", + "projects/k8s-infra-project-jedha/logs/serialconsole.googleapis.com%2Fserial_port_debug_output", + "projects/k8s-infra-project-jedha/logs/stderr", + "projects/k8s-infra-project-jedha/logs/stdout" +] diff --git a/audit/projects/k8s-infra-project-jedha/services/logging/sinks.json b/audit/projects/k8s-infra-project-jedha/services/logging/sinks.json new file mode 100644 index 000000000000..0cb7b3fcbe93 --- /dev/null +++ b/audit/projects/k8s-infra-project-jedha/services/logging/sinks.json @@ -0,0 +1,12 @@ +[ + { + "destination": "logging.googleapis.com/projects/k8s-infra-project-jedha/locations/global/buckets/_Required", + "filter": "LOG_ID(\"cloudaudit.googleapis.com/activity\") OR LOG_ID(\"externalaudit.googleapis.com/activity\") OR LOG_ID(\"cloudaudit.googleapis.com/system_event\") OR LOG_ID(\"externalaudit.googleapis.com/system_event\") OR LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") OR LOG_ID(\"externalaudit.googleapis.com/access_transparency\")", + "name": "_Required" + }, + { + "destination": "logging.googleapis.com/projects/k8s-infra-project-jedha/locations/global/buckets/_Default", + "filter": "NOT LOG_ID(\"cloudaudit.googleapis.com/activity\") AND NOT LOG_ID(\"externalaudit.googleapis.com/activity\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"externalaudit.googleapis.com/system_event\") AND NOT LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") AND NOT LOG_ID(\"externalaudit.googleapis.com/access_transparency\")", + "name": "_Default" + } +] diff --git a/audit/projects/k8s-release/buckets/k8s-release/iam.json b/audit/projects/k8s-release/buckets/k8s-release/iam.json index c29862cf2b96..c59d5ac59b54 100644 --- a/audit/projects/k8s-release/buckets/k8s-release/iam.json +++ b/audit/projects/k8s-release/buckets/k8s-release/iam.json @@ -10,7 +10,8 @@ }, { "members": [ - "projectViewer:k8s-release" + "projectViewer:k8s-release", + "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com" ], "role": "roles/storage.legacyBucketReader" }, @@ -25,7 +26,8 @@ "members": [ "group:k8s-infra-artifact-admins@kubernetes.io", "group:k8s-infra-release-admins@kubernetes.io", - "group:k8s-infra-release-editors@kubernetes.io" + "group:k8s-infra-release-editors@kubernetes.io", + "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com" ], "role": "roles/storage.objectAdmin" }, diff --git a/audit/projects/k8s-release/buckets/k8s-release/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release/metadata.txt index 9e900145e668..95c67afdc053 100644 --- a/audit/projects/k8s-release/buckets/k8s-release/metadata.txt +++ b/audit/projects/k8s-release/buckets/k8s-release/metadata.txt @@ -11,8 +11,8 @@ gs://k8s-release/ : Labels: None Default KMS key: None Time created: Fri, 07 Aug 2020 20:50:17 GMT - Time updated: Fri, 07 Aug 2020 20:50:37 GMT - Metageneration: 9 + Time updated: Fri, 09 Jul 2021 20:06:14 GMT + Metageneration: 10 Bucket Policy Only enabled: True ACL: [] Default ACL: [] diff --git a/audit/projects/k8s-release/iam.json b/audit/projects/k8s-release/iam.json index a5017c1e7b54..c2d1b0791720 100644 --- a/audit/projects/k8s-release/iam.json +++ b/audit/projects/k8s-release/iam.json @@ -50,6 +50,12 @@ ], "role": "roles/editor" }, + { + "members": [ + "serviceAccount:cloud-ingest-dcp@cloud-ingest-prod.iam.gserviceaccount.com" + ], + "role": "roles/pubsub.editor" + }, { "members": [ "group:k8s-infra-release-admins@kubernetes.io", diff --git a/audit/projects/k8s-release/services/logging/logs.json b/audit/projects/k8s-release/services/logging/logs.json index fe51488c7066..437f6d9437fe 100644 --- a/audit/projects/k8s-release/services/logging/logs.json +++ b/audit/projects/k8s-release/services/logging/logs.json @@ -1 +1,3 @@ -[] +[ + "projects/k8s-release/logs/cloudaudit.googleapis.com%2Factivity" +] diff --git a/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json b/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json index 24fdf5d8823e..cb825c8f1a07 100644 --- a/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json +++ b/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json @@ -2,6 +2,5 @@ "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Factivity", "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fdata_access", "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fsystem_event", - "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild", - "projects/k8s-staging-cluster-api-gcp/logs/compute.googleapis.com%2Fshielded_vm_integrity" + "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild" ] diff --git a/audit/projects/kubernetes-public/services/container/clusters/aaa.json b/audit/projects/kubernetes-public/services/container/clusters/aaa.json index e95b354b57c2..48a658f70061 100644 --- a/audit/projects/kubernetes-public/services/container/clusters/aaa.json +++ b/audit/projects/kubernetes-public/services/container/clusters/aaa.json @@ -37,7 +37,7 @@ "clusterIpv4Cidr": "10.40.0.0/14", "createTime": "2019-09-18T23:39:24+00:00", "currentMasterVersion": "1.19.9-gke.1900", - "currentNodeVersion": "1.18.17-gke.1901 *", + "currentNodeVersion": "1.19.9-gke.1900", "databaseEncryption": { "state": "DECRYPTED" }, @@ -168,7 +168,7 @@ "upgradeSettings": { "maxSurge": 1 }, - "version": "1.18.17-gke.1901" + "version": "1.19.9-gke.1900" }, { "autoscaling": { @@ -219,7 +219,7 @@ "upgradeSettings": { "maxSurge": 1 }, - "version": "1.18.17-gke.1901" + "version": "1.19.9-gke.1900" } ], "releaseChannel": {