-
Notifications
You must be signed in to change notification settings - Fork 834
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
results of running audit script as of 2021-01-13 #1534
Merged
Merged
Changes from 1 commit
Commits
Show all changes
39 commits
Select commit
Hold shift + click to select a range
e8c3d1a
Fix audit script secret list typo
spiffxp c640149
Add TODOs for unhandled services
spiffxp 0c2ca8c
audit: update org admin membership
spiffxp 4083417
audit: add custom prow.viewer role to org
spiffxp c102166
audit: add k8s-infra-e2e-boskos-scale-* projects
spiffxp 9fbc0f0
audit: add k8s-infra-e2e-boskos-gpu-* projects
spiffxp 5caaf90
audit: add k8s-infra-e2e-boskos-[041-120] projects
spiffxp 8add7de
audit: add k8s-infra-e2e-* manual projects
spiffxp ab02be3
audit: update existing k8s-infra-e2e-boskos-[001-040] projects
spiffxp b9b614e
audit: enable services for prow build clusters
spiffxp 29426db
audit: add prow viewer role to manual k8s-infra-e2e projects
spiffxp af431d1
audit: add prow viewer/oncall groups to k8s-infra-prow-build-trusted
spiffxp e3d188c
audit: add k8s-infra-prow-build-trusted secrets
spiffxp 6660eae
audit: add prow-deployer service account
spiffxp 5b54a5c
audit: rm k8s-staging-release-test project
spiffxp 7cd3c63
audit: rm k8s-sig-release-prototype project
spiffxp 0612bab
audit: add k8s-staging-* projects
spiffxp 1ff4c21
audit: k8s-staging-* service enables
spiffxp d64f009
audit: add k8s-conform buckets
spiffxp 924a495
audit: allow k8s-infra-prow-build-trusted to manage gsuite groups
spiffxp e84f81f
audit: add k8s-gsuite/wg-k8s-infra-billing_pw secret
spiffxp df80579
audit: add k8s-release project
spiffxp ed6a857
audit: add kubernetes-public secrets
spiffxp a495042
audit: bind trusted prow to k8s-infra-gcr-promoter SAs
spiffxp daf7712
audit: misc project quota / service rename updates
spiffxp 7df09ce
audit: add buckets to k8s-artifacts-prod
spiffxp de8ae62
audit: add k8s-artifacts-prod/k8s-infra-gcr-vuln-dashboard SA
spiffxp 2c1fae7
audit: add k8s-artifacts-prod/k8s-infra-gcr-vuln-scanning SA
spiffxp 9944317
audit: allow prow-build to write to k8s-release-test-prod bucket
spiffxp 490c7c3
audit: add kubernetes-public/k8s-infra-monitoring-viewer SA
spiffxp c4c488d
audit: add kubernetes-public/k8s-infra-dns-updater SA
spiffxp 7d31f1f
audit: add k8s.dev, kubernetes.dev DNS to kubernetes-public
spiffxp 0146a9e
audit: FIX disable/delete k8s-staging-csi gke cluster
spiffxp cf5f5e3
audit: QQ k8s-staging-artifact-promoter: why is compute enabled
spiffxp d50b705
audit: QQ k8s-staging-capi-docker: why is dns enabled
spiffxp 8b85662
audit: QQ k8s-staging-e2e-test-images: why are all these services ena…
spiffxp 9841ab6
audit: QQ: k8s-gcr-backup-test-prod-bak: why bind this SA to prow-build?
spiffxp eb88737
audit: QQ kubernetes-public: why is an appengine SA present?
spiffxp d3ad9b7
audit: QQ kubernetes-public: why cloudfunctions and source enabled?
spiffxp File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,323 @@ | ||
{ | ||
"description": "View access to services for troubleshooting prow", | ||
"includedPermissions": [ | ||
"cloudnotifications.activities.list", | ||
"compute.acceleratorTypes.get", | ||
"compute.acceleratorTypes.list", | ||
"compute.addresses.get", | ||
"compute.addresses.list", | ||
"compute.autoscalers.get", | ||
"compute.autoscalers.list", | ||
"compute.backendBuckets.get", | ||
"compute.backendBuckets.list", | ||
"compute.backendServices.get", | ||
"compute.backendServices.list", | ||
"compute.commitments.get", | ||
"compute.commitments.list", | ||
"compute.diskTypes.get", | ||
"compute.diskTypes.list", | ||
"compute.disks.get", | ||
"compute.disks.getIamPolicy", | ||
"compute.disks.list", | ||
"compute.externalVpnGateways.get", | ||
"compute.externalVpnGateways.list", | ||
"compute.firewalls.get", | ||
"compute.firewalls.list", | ||
"compute.forwardingRules.get", | ||
"compute.forwardingRules.list", | ||
"compute.globalAddresses.get", | ||
"compute.globalAddresses.list", | ||
"compute.globalForwardingRules.get", | ||
"compute.globalForwardingRules.list", | ||
"compute.globalOperations.get", | ||
"compute.globalOperations.getIamPolicy", | ||
"compute.globalOperations.list", | ||
"compute.globalPublicDelegatedPrefixes.get", | ||
"compute.globalPublicDelegatedPrefixes.list", | ||
"compute.healthChecks.get", | ||
"compute.healthChecks.list", | ||
"compute.httpHealthChecks.get", | ||
"compute.httpHealthChecks.list", | ||
"compute.httpsHealthChecks.get", | ||
"compute.httpsHealthChecks.list", | ||
"compute.images.get", | ||
"compute.images.getFromFamily", | ||
"compute.images.getIamPolicy", | ||
"compute.images.list", | ||
"compute.instanceGroupManagers.get", | ||
"compute.instanceGroupManagers.list", | ||
"compute.instanceGroups.get", | ||
"compute.instanceGroups.list", | ||
"compute.instanceTemplates.get", | ||
"compute.instanceTemplates.getIamPolicy", | ||
"compute.instanceTemplates.list", | ||
"compute.instances.get", | ||
"compute.instances.getEffectiveFirewalls", | ||
"compute.instances.getGuestAttributes", | ||
"compute.instances.getIamPolicy", | ||
"compute.instances.getScreenshot", | ||
"compute.instances.getSerialPortOutput", | ||
"compute.instances.getShieldedInstanceIdentity", | ||
"compute.instances.getShieldedVmIdentity", | ||
"compute.instances.list", | ||
"compute.instances.listReferrers", | ||
"compute.interconnectAttachments.get", | ||
"compute.interconnectAttachments.list", | ||
"compute.interconnectLocations.get", | ||
"compute.interconnectLocations.list", | ||
"compute.interconnects.get", | ||
"compute.interconnects.list", | ||
"compute.licenseCodes.get", | ||
"compute.licenseCodes.getIamPolicy", | ||
"compute.licenseCodes.list", | ||
"compute.licenses.get", | ||
"compute.licenses.getIamPolicy", | ||
"compute.licenses.list", | ||
"compute.machineTypes.get", | ||
"compute.machineTypes.list", | ||
"compute.maintenancePolicies.get", | ||
"compute.maintenancePolicies.getIamPolicy", | ||
"compute.maintenancePolicies.list", | ||
"compute.networkEndpointGroups.get", | ||
"compute.networkEndpointGroups.getIamPolicy", | ||
"compute.networkEndpointGroups.list", | ||
"compute.networks.get", | ||
"compute.networks.getEffectiveFirewalls", | ||
"compute.networks.list", | ||
"compute.networks.listPeeringRoutes", | ||
"compute.nodeGroups.get", | ||
"compute.nodeGroups.getIamPolicy", | ||
"compute.nodeGroups.list", | ||
"compute.nodeTemplates.get", | ||
"compute.nodeTemplates.getIamPolicy", | ||
"compute.nodeTemplates.list", | ||
"compute.nodeTypes.get", | ||
"compute.nodeTypes.list", | ||
"compute.organizations.listAssociations", | ||
"compute.projects.get", | ||
"compute.publicAdvertisedPrefixes.get", | ||
"compute.publicAdvertisedPrefixes.list", | ||
"compute.publicDelegatedPrefixes.get", | ||
"compute.publicDelegatedPrefixes.list", | ||
"compute.regionBackendServices.get", | ||
"compute.regionBackendServices.list", | ||
"compute.regionHealthCheckServices.get", | ||
"compute.regionHealthCheckServices.list", | ||
"compute.regionNotificationEndpoints.get", | ||
"compute.regionNotificationEndpoints.list", | ||
"compute.regionOperations.get", | ||
"compute.regionOperations.getIamPolicy", | ||
"compute.regionOperations.list", | ||
"compute.regions.get", | ||
"compute.regions.list", | ||
"compute.reservations.get", | ||
"compute.reservations.list", | ||
"compute.resourcePolicies.get", | ||
"compute.resourcePolicies.list", | ||
"compute.routers.get", | ||
"compute.routers.list", | ||
"compute.routes.get", | ||
"compute.routes.list", | ||
"compute.securityPolicies.get", | ||
"compute.securityPolicies.getIamPolicy", | ||
"compute.securityPolicies.list", | ||
"compute.snapshots.get", | ||
"compute.snapshots.getIamPolicy", | ||
"compute.snapshots.list", | ||
"compute.sslCertificates.get", | ||
"compute.sslCertificates.list", | ||
"compute.sslPolicies.get", | ||
"compute.sslPolicies.list", | ||
"compute.sslPolicies.listAvailableFeatures", | ||
"compute.subnetworks.get", | ||
"compute.subnetworks.getIamPolicy", | ||
"compute.subnetworks.list", | ||
"compute.targetHttpProxies.get", | ||
"compute.targetHttpProxies.list", | ||
"compute.targetHttpsProxies.get", | ||
"compute.targetHttpsProxies.list", | ||
"compute.targetInstances.get", | ||
"compute.targetInstances.list", | ||
"compute.targetPools.get", | ||
"compute.targetPools.list", | ||
"compute.targetSslProxies.get", | ||
"compute.targetSslProxies.list", | ||
"compute.targetTcpProxies.get", | ||
"compute.targetTcpProxies.list", | ||
"compute.targetVpnGateways.get", | ||
"compute.targetVpnGateways.list", | ||
"compute.urlMaps.get", | ||
"compute.urlMaps.list", | ||
"compute.urlMaps.validate", | ||
"compute.vpnGateways.get", | ||
"compute.vpnGateways.list", | ||
"compute.vpnTunnels.get", | ||
"compute.vpnTunnels.list", | ||
"compute.zoneOperations.get", | ||
"compute.zoneOperations.getIamPolicy", | ||
"compute.zoneOperations.list", | ||
"compute.zones.get", | ||
"compute.zones.list", | ||
"container.apiServices.get", | ||
"container.apiServices.list", | ||
"container.backendConfigs.get", | ||
"container.backendConfigs.list", | ||
"container.bindings.get", | ||
"container.bindings.list", | ||
"container.certificateSigningRequests.get", | ||
"container.certificateSigningRequests.list", | ||
"container.clusterRoleBindings.get", | ||
"container.clusterRoleBindings.list", | ||
"container.clusterRoles.get", | ||
"container.clusterRoles.list", | ||
"container.clusters.get", | ||
"container.clusters.list", | ||
"container.componentStatuses.get", | ||
"container.componentStatuses.list", | ||
"container.configMaps.get", | ||
"container.configMaps.list", | ||
"container.controllerRevisions.get", | ||
"container.controllerRevisions.list", | ||
"container.cronJobs.get", | ||
"container.cronJobs.getStatus", | ||
"container.cronJobs.list", | ||
"container.csiDrivers.get", | ||
"container.csiDrivers.list", | ||
"container.csiNodes.get", | ||
"container.csiNodes.list", | ||
"container.customResourceDefinitions.get", | ||
"container.customResourceDefinitions.list", | ||
"container.daemonSets.get", | ||
"container.daemonSets.getStatus", | ||
"container.daemonSets.list", | ||
"container.deployments.get", | ||
"container.deployments.getStatus", | ||
"container.deployments.list", | ||
"container.endpoints.get", | ||
"container.endpoints.list", | ||
"container.events.get", | ||
"container.events.list", | ||
"container.horizontalPodAutoscalers.get", | ||
"container.horizontalPodAutoscalers.getStatus", | ||
"container.horizontalPodAutoscalers.list", | ||
"container.ingresses.get", | ||
"container.ingresses.getStatus", | ||
"container.ingresses.list", | ||
"container.initializerConfigurations.get", | ||
"container.initializerConfigurations.list", | ||
"container.jobs.get", | ||
"container.jobs.getStatus", | ||
"container.jobs.list", | ||
"container.limitRanges.get", | ||
"container.limitRanges.list", | ||
"container.namespaces.get", | ||
"container.namespaces.getStatus", | ||
"container.namespaces.list", | ||
"container.networkPolicies.get", | ||
"container.networkPolicies.list", | ||
"container.nodes.get", | ||
"container.nodes.getStatus", | ||
"container.nodes.list", | ||
"container.operations.get", | ||
"container.operations.list", | ||
"container.persistentVolumeClaims.get", | ||
"container.persistentVolumeClaims.getStatus", | ||
"container.persistentVolumeClaims.list", | ||
"container.persistentVolumes.get", | ||
"container.persistentVolumes.getStatus", | ||
"container.persistentVolumes.list", | ||
"container.petSets.get", | ||
"container.petSets.list", | ||
"container.podDisruptionBudgets.get", | ||
"container.podDisruptionBudgets.getStatus", | ||
"container.podDisruptionBudgets.list", | ||
"container.podPresets.get", | ||
"container.podPresets.list", | ||
"container.podSecurityPolicies.get", | ||
"container.podSecurityPolicies.list", | ||
"container.podTemplates.get", | ||
"container.podTemplates.list", | ||
"container.pods.get", | ||
"container.pods.getStatus", | ||
"container.pods.list", | ||
"container.replicaSets.get", | ||
"container.replicaSets.getScale", | ||
"container.replicaSets.getStatus", | ||
"container.replicaSets.list", | ||
"container.replicationControllers.get", | ||
"container.replicationControllers.getScale", | ||
"container.replicationControllers.getStatus", | ||
"container.replicationControllers.list", | ||
"container.resourceQuotas.get", | ||
"container.resourceQuotas.getStatus", | ||
"container.resourceQuotas.list", | ||
"container.roleBindings.get", | ||
"container.roleBindings.list", | ||
"container.roles.get", | ||
"container.roles.list", | ||
"container.runtimeClasses.get", | ||
"container.runtimeClasses.list", | ||
"container.scheduledJobs.get", | ||
"container.scheduledJobs.list", | ||
"container.serviceAccounts.get", | ||
"container.serviceAccounts.list", | ||
"container.services.get", | ||
"container.services.getStatus", | ||
"container.services.list", | ||
"container.statefulSets.get", | ||
"container.statefulSets.getStatus", | ||
"container.statefulSets.list", | ||
"container.storageClasses.get", | ||
"container.storageClasses.list", | ||
"container.thirdPartyObjects.get", | ||
"container.thirdPartyObjects.list", | ||
"container.thirdPartyResources.get", | ||
"container.thirdPartyResources.list", | ||
"container.tokenReviews.create", | ||
"logging.buckets.get", | ||
"logging.buckets.list", | ||
"logging.exclusions.get", | ||
"logging.exclusions.list", | ||
"logging.logEntries.list", | ||
"logging.logMetrics.get", | ||
"logging.logMetrics.list", | ||
"logging.logServiceIndexes.list", | ||
"logging.logServices.list", | ||
"logging.logs.list", | ||
"logging.sinks.get", | ||
"logging.sinks.list", | ||
"logging.usage.get", | ||
"monitoring.alertPolicies.get", | ||
"monitoring.alertPolicies.list", | ||
"monitoring.dashboards.get", | ||
"monitoring.dashboards.list", | ||
"monitoring.groups.get", | ||
"monitoring.groups.list", | ||
"monitoring.metricDescriptors.get", | ||
"monitoring.metricDescriptors.list", | ||
"monitoring.monitoredResourceDescriptors.get", | ||
"monitoring.monitoredResourceDescriptors.list", | ||
"monitoring.notificationChannelDescriptors.get", | ||
"monitoring.notificationChannelDescriptors.list", | ||
"monitoring.notificationChannels.get", | ||
"monitoring.notificationChannels.list", | ||
"monitoring.publicWidgets.get", | ||
"monitoring.publicWidgets.list", | ||
"monitoring.services.get", | ||
"monitoring.services.list", | ||
"monitoring.slos.get", | ||
"monitoring.slos.list", | ||
"monitoring.timeSeries.list", | ||
"monitoring.uptimeCheckConfigs.get", | ||
"monitoring.uptimeCheckConfigs.list", | ||
"resourcemanager.projects.get", | ||
"resourcemanager.projects.list", | ||
"serviceusage.quotas.get", | ||
"serviceusage.services.get", | ||
"serviceusage.services.list", | ||
"stackdriver.projects.get" | ||
], | ||
"name": "organizations/758905017065/roles/prow.viewer", | ||
"stage": "ALPHA", | ||
"title": "Prow Viewer" | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find nothing in our repo setting this up. Aaron, your fingerprint is in the access log. We should set up a script or terraform to sync the org.
#1659