Skip to content

Commit

Permalink
Merge pull request #1534 from spiffxp/audit-2021-01-13
Browse files Browse the repository at this point in the history 
results of running audit script as of 2021-01-13
  • Loading branch information
@k8s-ci-robot
k8s-ci-robot authored Feb 18, 2021
2 parents 4cf9780 + d3ad9b7 commit ed90c4d
Show file tree
Hide file tree
Showing 1,419 changed files with 38,761 additions and 2,001 deletions.
17 changes: 16 additions & 1 deletion audit/audit-gcp.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ gcloud \
secretmanager)
gcloud \
secrets list \
--project=k8s-gsuite \
--project="${PROJECT}" \
--format="value(name)" \
| while read -r SECRET; do
path="projects/${PROJECT}/secrets/${SECRET}"
Expand Down Expand Up @@ -206,6 +206,21 @@ gcloud \
;;
*)
echo "##### Unhandled Service ${SVC}"
# (these were all enabled for kubernetes-public)
# TODO: handle (or ignore) bigquerystorage
# TODO: handle (or ignore) clouderrorreporting
# TODO: handle (or ignore) cloudfunctions
# TODO: handle (or ignore) cloudresourcemanager
# TODO: handle (or ignore) cloudshell
# TODO: handle (or ignore) containerregistry
# TODO: handle (or ignore) iam
# TODO: handle (or ignore) iamcredentials
# TODO: handle (or ignore) oslogin
# TODO: handle (or ignore) pubsub
# TODO: handle (or ignore) serviceusage
# TODO: handle (or ignore) source
# TODO: handle (or ignore) stackdriver
# TODO: handle (or ignore) storage-component
;;
esac
done
Expand Down
8 changes: 8 additions & 0 deletions audit/org_kubernetes.io/iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@
"group:[email protected]",
"user:[email protected]",
"user:[email protected]",
"user:[email protected]",
"user:[email protected]",
"user:[email protected]"
],
"role": "roles/resourcemanager.organizationAdmin"
Expand All @@ -94,6 +96,12 @@
],
"role": "roles/resourcemanager.projectDeleter"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/servicemanagement.quotaAdmin"
},
{
"members": [
"group:[email protected]"
Expand Down
323 changes: 323 additions & 0 deletions audit/org_kubernetes.io/roles/prow.viewer.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,323 @@
{
"description": "View access to services for troubleshooting prow",
"includedPermissions": [
"cloudnotifications.activities.list",
"compute.acceleratorTypes.get",
"compute.acceleratorTypes.list",
"compute.addresses.get",
"compute.addresses.list",
"compute.autoscalers.get",
"compute.autoscalers.list",
"compute.backendBuckets.get",
"compute.backendBuckets.list",
"compute.backendServices.get",
"compute.backendServices.list",
"compute.commitments.get",
"compute.commitments.list",
"compute.diskTypes.get",
"compute.diskTypes.list",
"compute.disks.get",
"compute.disks.getIamPolicy",
"compute.disks.list",
"compute.externalVpnGateways.get",
"compute.externalVpnGateways.list",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.forwardingRules.get",
"compute.forwardingRules.list",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalOperations.get",
"compute.globalOperations.getIamPolicy",
"compute.globalOperations.list",
"compute.globalPublicDelegatedPrefixes.get",
"compute.globalPublicDelegatedPrefixes.list",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.httpHealthChecks.get",
"compute.httpHealthChecks.list",
"compute.httpsHealthChecks.get",
"compute.httpsHealthChecks.list",
"compute.images.get",
"compute.images.getFromFamily",
"compute.images.getIamPolicy",
"compute.images.list",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.list",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceTemplates.get",
"compute.instanceTemplates.getIamPolicy",
"compute.instanceTemplates.list",
"compute.instances.get",
"compute.instances.getEffectiveFirewalls",
"compute.instances.getGuestAttributes",
"compute.instances.getIamPolicy",
"compute.instances.getScreenshot",
"compute.instances.getSerialPortOutput",
"compute.instances.getShieldedInstanceIdentity",
"compute.instances.getShieldedVmIdentity",
"compute.instances.list",
"compute.instances.listReferrers",
"compute.interconnectAttachments.get",
"compute.interconnectAttachments.list",
"compute.interconnectLocations.get",
"compute.interconnectLocations.list",
"compute.interconnects.get",
"compute.interconnects.list",
"compute.licenseCodes.get",
"compute.licenseCodes.getIamPolicy",
"compute.licenseCodes.list",
"compute.licenses.get",
"compute.licenses.getIamPolicy",
"compute.licenses.list",
"compute.machineTypes.get",
"compute.machineTypes.list",
"compute.maintenancePolicies.get",
"compute.maintenancePolicies.getIamPolicy",
"compute.maintenancePolicies.list",
"compute.networkEndpointGroups.get",
"compute.networkEndpointGroups.getIamPolicy",
"compute.networkEndpointGroups.list",
"compute.networks.get",
"compute.networks.getEffectiveFirewalls",
"compute.networks.list",
"compute.networks.listPeeringRoutes",
"compute.nodeGroups.get",
"compute.nodeGroups.getIamPolicy",
"compute.nodeGroups.list",
"compute.nodeTemplates.get",
"compute.nodeTemplates.getIamPolicy",
"compute.nodeTemplates.list",
"compute.nodeTypes.get",
"compute.nodeTypes.list",
"compute.organizations.listAssociations",
"compute.projects.get",
"compute.publicAdvertisedPrefixes.get",
"compute.publicAdvertisedPrefixes.list",
"compute.publicDelegatedPrefixes.get",
"compute.publicDelegatedPrefixes.list",
"compute.regionBackendServices.get",
"compute.regionBackendServices.list",
"compute.regionHealthCheckServices.get",
"compute.regionHealthCheckServices.list",
"compute.regionNotificationEndpoints.get",
"compute.regionNotificationEndpoints.list",
"compute.regionOperations.get",
"compute.regionOperations.getIamPolicy",
"compute.regionOperations.list",
"compute.regions.get",
"compute.regions.list",
"compute.reservations.get",
"compute.reservations.list",
"compute.resourcePolicies.get",
"compute.resourcePolicies.list",
"compute.routers.get",
"compute.routers.list",
"compute.routes.get",
"compute.routes.list",
"compute.securityPolicies.get",
"compute.securityPolicies.getIamPolicy",
"compute.securityPolicies.list",
"compute.snapshots.get",
"compute.snapshots.getIamPolicy",
"compute.snapshots.list",
"compute.sslCertificates.get",
"compute.sslCertificates.list",
"compute.sslPolicies.get",
"compute.sslPolicies.list",
"compute.sslPolicies.listAvailableFeatures",
"compute.subnetworks.get",
"compute.subnetworks.getIamPolicy",
"compute.subnetworks.list",
"compute.targetHttpProxies.get",
"compute.targetHttpProxies.list",
"compute.targetHttpsProxies.get",
"compute.targetHttpsProxies.list",
"compute.targetInstances.get",
"compute.targetInstances.list",
"compute.targetPools.get",
"compute.targetPools.list",
"compute.targetSslProxies.get",
"compute.targetSslProxies.list",
"compute.targetTcpProxies.get",
"compute.targetTcpProxies.list",
"compute.targetVpnGateways.get",
"compute.targetVpnGateways.list",
"compute.urlMaps.get",
"compute.urlMaps.list",
"compute.urlMaps.validate",
"compute.vpnGateways.get",
"compute.vpnGateways.list",
"compute.vpnTunnels.get",
"compute.vpnTunnels.list",
"compute.zoneOperations.get",
"compute.zoneOperations.getIamPolicy",
"compute.zoneOperations.list",
"compute.zones.get",
"compute.zones.list",
"container.apiServices.get",
"container.apiServices.list",
"container.backendConfigs.get",
"container.backendConfigs.list",
"container.bindings.get",
"container.bindings.list",
"container.certificateSigningRequests.get",
"container.certificateSigningRequests.list",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusters.get",
"container.clusters.list",
"container.componentStatuses.get",
"container.componentStatuses.list",
"container.configMaps.get",
"container.configMaps.list",
"container.controllerRevisions.get",
"container.controllerRevisions.list",
"container.cronJobs.get",
"container.cronJobs.getStatus",
"container.cronJobs.list",
"container.csiDrivers.get",
"container.csiDrivers.list",
"container.csiNodes.get",
"container.csiNodes.list",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.list",
"container.daemonSets.get",
"container.daemonSets.getStatus",
"container.daemonSets.list",
"container.deployments.get",
"container.deployments.getStatus",
"container.deployments.list",
"container.endpoints.get",
"container.endpoints.list",
"container.events.get",
"container.events.list",
"container.horizontalPodAutoscalers.get",
"container.horizontalPodAutoscalers.getStatus",
"container.horizontalPodAutoscalers.list",
"container.ingresses.get",
"container.ingresses.getStatus",
"container.ingresses.list",
"container.initializerConfigurations.get",
"container.initializerConfigurations.list",
"container.jobs.get",
"container.jobs.getStatus",
"container.jobs.list",
"container.limitRanges.get",
"container.limitRanges.list",
"container.namespaces.get",
"container.namespaces.getStatus",
"container.namespaces.list",
"container.networkPolicies.get",
"container.networkPolicies.list",
"container.nodes.get",
"container.nodes.getStatus",
"container.nodes.list",
"container.operations.get",
"container.operations.list",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.getStatus",
"container.persistentVolumeClaims.list",
"container.persistentVolumes.get",
"container.persistentVolumes.getStatus",
"container.persistentVolumes.list",
"container.petSets.get",
"container.petSets.list",
"container.podDisruptionBudgets.get",
"container.podDisruptionBudgets.getStatus",
"container.podDisruptionBudgets.list",
"container.podPresets.get",
"container.podPresets.list",
"container.podSecurityPolicies.get",
"container.podSecurityPolicies.list",
"container.podTemplates.get",
"container.podTemplates.list",
"container.pods.get",
"container.pods.getStatus",
"container.pods.list",
"container.replicaSets.get",
"container.replicaSets.getScale",
"container.replicaSets.getStatus",
"container.replicaSets.list",
"container.replicationControllers.get",
"container.replicationControllers.getScale",
"container.replicationControllers.getStatus",
"container.replicationControllers.list",
"container.resourceQuotas.get",
"container.resourceQuotas.getStatus",
"container.resourceQuotas.list",
"container.roleBindings.get",
"container.roleBindings.list",
"container.roles.get",
"container.roles.list",
"container.runtimeClasses.get",
"container.runtimeClasses.list",
"container.scheduledJobs.get",
"container.scheduledJobs.list",
"container.serviceAccounts.get",
"container.serviceAccounts.list",
"container.services.get",
"container.services.getStatus",
"container.services.list",
"container.statefulSets.get",
"container.statefulSets.getStatus",
"container.statefulSets.list",
"container.storageClasses.get",
"container.storageClasses.list",
"container.thirdPartyObjects.get",
"container.thirdPartyObjects.list",
"container.thirdPartyResources.get",
"container.thirdPartyResources.list",
"container.tokenReviews.create",
"logging.buckets.get",
"logging.buckets.list",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.groups.get",
"monitoring.groups.list",
"monitoring.metricDescriptors.get",
"monitoring.metricDescriptors.list",
"monitoring.monitoredResourceDescriptors.get",
"monitoring.monitoredResourceDescriptors.list",
"monitoring.notificationChannelDescriptors.get",
"monitoring.notificationChannelDescriptors.list",
"monitoring.notificationChannels.get",
"monitoring.notificationChannels.list",
"monitoring.publicWidgets.get",
"monitoring.publicWidgets.list",
"monitoring.services.get",
"monitoring.services.list",
"monitoring.slos.get",
"monitoring.slos.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list",
"resourcemanager.projects.get",
"resourcemanager.projects.list",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",
"stackdriver.projects.get"
],
"name": "organizations/758905017065/roles/prow.viewer",
"stage": "ALPHA",
"title": "Prow Viewer"
}
1 change: 1 addition & 0 deletions ...e-accounts/k8s-infra-gcr-promoter@k8s-artifacts-prod-bak.iam.gserviceaccount.com/iam.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"bindings": [
{
"members": [
"serviceAccount:k8s-infra-prow-build-trusted.svc.id.goog[test-pods/k8s-infra-gcr-promoter-bak]",
"serviceAccount:k8s-prow.svc.id.goog[test-pods/k8s-infra-gcr-promoter-bak]"
],
"role": "roles/iam.workloadIdentityUser"
Expand Down
Loading

0 comments on commit ed90c4d

Please sign in to comment.