-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit as of 2020-02-17 #1676
Closed
Closed
audit as of 2020-02-17 #1676
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
a9efe55
audit: add psharma to org admins
spiffxp f8a9628
audit: add psharma as owner to kubernetes-public
spiffxp f0d0b63
audit: update gcp-auditor org-scoped roles
spiffxp 98667b8
audit: add XPN_SERVICE_PROJECTS quota
spiffxp a3f2812
audit: add k8s-staging-releng-test
spiffxp a25f038
audit: add k8s-staging-provider-openstack
spiffxp 619e515
audit: add k8s-staging-experimental
spiffxp acfc2fd
audit: remove windows-remote-docker secrets
spiffxp 96f3b66
audit: add cncf-ci-github-token secret
spiffxp f56650d
audit: remove k8s-staging-e2e-test
spiffxp 5552dae
audit: remove k8s-artifacts-prod-vulndash bucket
spiffxp 176f6e3
audit: setup k8s-conform for provider-openstack
spiffxp 95d847e
audit: enable GCR for e2e projects
spiffxp 0ec345d
audit: evidence of some e2e projects using GCR
spiffxp a4b8700
audit: QQ add kubernetes-staging buckets to e2e projects
spiffxp ac803bc
audit: gke cluster maintenance noise
spiffxp 2e29d26
audit: dns service appears to have dropped a quota
spiffxp b7d200f
audit: WELP I deleted a thing I shouldn't have
spiffxp File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/bucketpolicyonly.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| Bucket Policy Only setting for gs://k8s-conform-provider-openstack: | ||
| Enabled: True | ||
| LockedTime: 2021-05-16 15:12:16.571000+00:00 | ||
|
|
||
1 change: 1 addition & 0 deletions
1
audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/cors.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| gs://k8s-conform-provider-openstack/ has no CORS configuration. |
39 changes: 39 additions & 0 deletions
39
audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/iam.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| { | ||
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "group:[email protected]", | ||
| "projectEditor:k8s-conform", | ||
| "projectOwner:k8s-conform" | ||
| ], | ||
| "role": "roles/storage.legacyBucketOwner" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "projectViewer:k8s-conform" | ||
| ], | ||
| "role": "roles/storage.legacyBucketReader" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "group:[email protected]", | ||
| "serviceAccount:[email protected]" | ||
| ], | ||
| "role": "roles/storage.legacyBucketWriter" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "group:[email protected]", | ||
| "group:[email protected]", | ||
| "serviceAccount:[email protected]" | ||
| ], | ||
| "role": "roles/storage.objectAdmin" | ||
| }, | ||
| { | ||
| "members": [ | ||
| "allUsers" | ||
| ], | ||
| "role": "roles/storage.objectViewer" | ||
| } | ||
| ] | ||
| } |
1 change: 1 addition & 0 deletions
1
audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/logging.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| gs://k8s-conform-provider-openstack/ has no logging configuration. |
7 changes: 7 additions & 0 deletions
7
audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| { | ||
| "createTime": "2021-02-15T15:18:08.840992Z", | ||
| "name": "projects/228988630781/secrets/service-provider-openstack-key", | ||
| "replication": { | ||
| "automatic": {} | ||
| } | ||
| } |
11 changes: 11 additions & 0 deletions
11
audit/projects/k8s-conform/secrets/service-provider-openstack-key/iam.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| { | ||
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "group:[email protected]" | ||
| ], | ||
| "role": "roles/secretmanager.secretAccessor" | ||
| } | ||
| ], | ||
| "version": 1 | ||
| } |
10 changes: 10 additions & 0 deletions
10
audit/projects/k8s-conform/secrets/service-provider-openstack-key/versions.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| [ | ||
| { | ||
| "createTime": "2021-02-15T15:18:09.874889Z", | ||
| "name": "projects/228988630781/secrets/service-provider-openstack-key/versions/1", | ||
| "replicationStatus": { | ||
| "automatic": {} | ||
| }, | ||
| "state": "ENABLED" | ||
| } | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| { | ||
| "displayName": "service-provider-openstack", | ||
| "email": "[email protected]", | ||
| "name": "projects/k8s-conform/serviceAccounts/[email protected]", | ||
| "oauth2ClientId": "114482259319052246948", | ||
| "projectId": "k8s-conform", | ||
| "uniqueId": "114482259319052246948" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see no trace of this in the codebase? Why does it exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dims 2/15/21
Explain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like we have a bunch of these. i only run scripts, i don't know enough to meddle in the UI :) I believe i was re-running some of the conform buckets
In this instance i think i was trying to re-run scripts again to see how to help with:
kubernetes/test-infra#20914
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/kubernetes/k8s.io/pull/1676/files/5552daee41483e00b09c7ad5b1c57d699ab9848d..176f6e37790b71ce30ef9b57ddf78804abdfe1b3#r585516339
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ultimately I would like for us to have this enabled across the org, and enforced via an org policy
per-object ACLs are much trickier to audit and enforce
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, my point in tagging @dims was that I can't find any trace of these projects in git. Did someone forget to send a PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i know we cleaned some stuff up in:
#1311 (comment)
Only reference to
k8s-conform-provider-openstacki can find is:theopenlab/openlab#691
may be @chrigl knows more?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thockin it is in the codebase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I apologize. I got bitten by master/main - I had not resynced this copy in a while and was trying to sync master and not noticing that it failed.
Indeed, it is in the tree. Mea culpa, my apologies.