audit: periodic audit job shows everything as deleted

[spiffxp]

Uhhhh, well everything in audit/ getting deleted is certainly disconcerting. I'm going to assume the projects are all still present or we'd have heard a lot more complaints by now. Seems like the first commit for this PR deleted everything.

I'm going to guess #2010 is the culprit, specifically 9ebc221. What bindings does the group have that the service account does not?

Originally posted by @spiffxp in #2011 (comment)

[spiffxp]

/kind bug
/wg k8s-infra
/area audit
/priority critical-urgent
/assign

[k8s-ci-robot]

@spiffxp: The label(s) area/audit cannot be applied, because the repository doesn't have them.

In response to this:

/kind bug
/wg k8s-infra
/area audit
/priority critical-urgent
/assign

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

/milestone v1.22

[spiffxp]

https://testgrid.k8s.io/wg-k8s-infra-k8sio#ci-k8sio-audit - is all green

https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-k8sio-audit/1394799000162406400 - shows the following

### Auditing Project k8s-conform
#### k8s-conform IAM
#### k8s-conform ServiceAccounts
#### k8s-conform Roles
#### Services
ERROR: (gcloud.secrets.describe) PERMISSION_DENIED: Permission 'secretmanager.secrets.get' denied for resource 'projects/k8s-conform/secrets/service-cri-o-key' (or it may not exist).
/home/prow/go/src/github.com/kubernetes/k8s.io
Generate pr-creator binary from k/test-infra/robots

So two bugs jump out:

• The audit.viewer role is missing a permission it should have (infra/gcp: fix audit.viewer role and remove stray bindings #2058 should fix)
• The job is continuing to try and create a PR, and then reporting success... it should have halted immediately and reported failure (jobs: exit ci-k8sio-audit early test-infra#22239 should fix)

[spiffxp]

/area audit

[k8s-ci-robot]

@spiffxp: The label(s) area/audit cannot be applied, because the repository doesn't have them.

In response to this:

/area audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

/area infra/audit

[k8s-ci-robot]

@spiffxp: The label(s) area/infra/audit cannot be applied, because the repository doesn't have them.

In response to this:

/area infra/audit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[spiffxp]

/area infra/auditing

[spiffxp]

I've opened two PRs to address the two bugs:

• infra/gcp: fix audit.viewer role and remove stray bindings #2058
• jobs: exit ci-k8sio-audit early test-infra#22239

[spiffxp]

Holding open to confirm the updated job works as expected

[spiffxp]

/close
Confirmed the job works, latest audit PR is up #2067

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
Confirmed the job works, latest audit PR is up #2067

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.