Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit followup: give k8s-conform serviceaccounts objectAdmin privileges for their respective gcs buckets #1850

Closed
spiffxp opened this issue Mar 31, 2021 · 5 comments · Fixed by #1890
Closed

audit followup: give k8s-conform serviceaccounts objectAdmin privileges for their respective gcs buckets #1850

spiffxp opened this issue Mar 31, 2021 · 5 comments · Fixed by #1890
Assignees
@spiffxp
Labels
area/audit Audit of project resources, audit followup issues, code in audit/ priority/backlog Higher priority than priority/awaiting-more-evidence.
Milestone
v1.21

Comments

@spiffxp
Copy link
Member

spiffxp commented Mar 31, 2021

Followup for https://github.com/kubernetes/k8s.io/pull/1800/files#r597514009

Currently we give humans (group:k8s-infra-conform-foo) roles/storage.objectAdmin for the gcs bucket k8s-conform-foo, but the corresponding service account only gets roles/storage.objectCreator

I believe this was chosen at the time to ensure rogue automation couldn't go delete a bunch of results. But I'm fine giving it the more elevated privileges we extend to humans. The use case motivating this is allowing CI using that serviceaccount to update well-known files within the bucket (version-marker, latest build, etc.)
@spiffxp spiffxp mentioned this issue Mar 31, 2021
Merged
@dims
Copy link
Member

dims commented Mar 31, 2021

+1 to this idea.

@ameukam ameukam added area/audit Audit of project resources, audit followup issues, code in audit/ priority/backlog Higher priority than priority/awaiting-more-evidence. labels Mar 31, 2021
@saschagrunert
Copy link
Member

I would be also in favor of this 👍

@spiffxp spiffxp mentioned this issue Apr 8, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented Apr 9, 2021

Opened #1890 to fix this, PTAL

@spiffxp
Copy link
Member Author

spiffxp commented Apr 9, 2021

/assign

@spiffxp
Copy link
Member Author

spiffxp commented Jul 16, 2021

/milestone v1.21

@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jul 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spiffxp spiffxp

Labels
area/audit Audit of project resources, audit followup issues, code in audit/ priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
v1.21
Development

Successfully merging a pull request may close this issue.

ensure k8s-conform service accounts have objectAdmin rights spiffxp/k8s.io
5 participants
@dims @spiffxp @saschagrunert @ameukam @k8s-ci-robot