Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit as of 2020-02-17 #1676

Closed
wants to merge 18 commits into from
Closed

audit as of 2020-02-17 #1676

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
a9efe55
audit: add psharma to org admins
spiffxp Feb 16, 2021
f8a9628
audit: add psharma as owner to kubernetes-public
spiffxp Feb 18, 2021
f0d0b63
audit: update gcp-auditor org-scoped roles
spiffxp Feb 16, 2021
98667b8
audit: add XPN_SERVICE_PROJECTS quota
spiffxp Feb 18, 2021
a3f2812
audit: add k8s-staging-releng-test
spiffxp Feb 18, 2021
a25f038
audit: add k8s-staging-provider-openstack
spiffxp Feb 18, 2021
619e515
audit: add k8s-staging-experimental
spiffxp Feb 18, 2021
acfc2fd
audit: remove windows-remote-docker secrets
spiffxp Feb 18, 2021
96f3b66
audit: add cncf-ci-github-token secret
spiffxp Feb 18, 2021
f56650d
audit: remove k8s-staging-e2e-test
spiffxp Feb 18, 2021
5552dae
audit: remove k8s-artifacts-prod-vulndash bucket
spiffxp Feb 18, 2021
176f6e3
audit: setup k8s-conform for provider-openstack
spiffxp Feb 18, 2021
95d847e
audit: enable GCR for e2e projects
spiffxp Feb 18, 2021
0ec345d
audit: evidence of some e2e projects using GCR
spiffxp Feb 18, 2021
a4b8700
audit: QQ add kubernetes-staging buckets to e2e projects
spiffxp Feb 18, 2021
ac803bc
audit: gke cluster maintenance noise
spiffxp Feb 18, 2021
2e29d26
audit: dns service appears to have dropped a quota
spiffxp Feb 18, 2021
b7d200f
audit: WELP I deleted a thing I shouldn't have
spiffxp Feb 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ...enstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/bucketpolicyonly.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Bucket Policy Only setting for gs://artifacts.k8s-staging-provider-openstack.appspot.com:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see no trace of this in the codebase? Why does it exist?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dims 2/15/21

Explain?

Enabled: True
LockedTime: 2021-05-16 15:18:46.461000+00:00

1 change: 1 addition & 0 deletions ...-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/cors.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://artifacts.k8s-staging-provider-openstack.appspot.com/ has no CORS configuration.
37 changes: 37 additions & 0 deletions ...-provider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"bindings": [
{
"members": [
"group:[email protected]",
"projectEditor:k8s-staging-provider-openstack",
"projectOwner:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/storage.legacyBucketWriter"
},
{
"members": [
"group:[email protected]",
"group:[email protected]"
],
"role": "roles/storage.objectAdmin"
},
{
"members": [
"allUsers"
],
"role": "roles/storage.objectViewer"
}
]
}
1 change: 1 addition & 0 deletions ...ovider-openstack/buckets/artifacts.k8s-staging-provider-openstack.appspot.com/logging.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://artifacts.k8s-staging-provider-openstack.appspot.com/ has no logging configuration.
4 changes: 4 additions & 0 deletions ...taging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/bucketpolicyonly.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Bucket Policy Only setting for gs://k8s-staging-provider-openstack-gcb:
Enabled: True
LockedTime: 2021-05-16 15:19:21.741000+00:00

1 change: 1 addition & 0 deletions ...ojects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/cors.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://k8s-staging-provider-openstack-gcb/ has no CORS configuration.
46 changes: 46 additions & 0 deletions ...ojects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"bindings": [
{
"members": [
"group:[email protected]",
"projectEditor:k8s-staging-provider-openstack",
"projectOwner:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/storage.legacyBucketWriter"
},
{
"members": [
"group:[email protected]",
"group:[email protected]"
],
"role": "roles/storage.objectAdmin"
},
{
"members": [
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
],
"role": "roles/storage.objectCreator"
},
{
"members": [
"allUsers",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
],
"role": "roles/storage.objectViewer"
}
]
}
1 change: 1 addition & 0 deletions ...cts/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack-gcb/logging.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://k8s-staging-provider-openstack-gcb/ has no logging configuration.
4 changes: 4 additions & 0 deletions ...8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/bucketpolicyonly.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Bucket Policy Only setting for gs://k8s-staging-provider-openstack:
Enabled: True
LockedTime: 2021-05-16 15:19:04.941000+00:00

1 change: 1 addition & 0 deletions ...t/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/cors.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://k8s-staging-provider-openstack/ has no CORS configuration.
37 changes: 37 additions & 0 deletions ...t/projects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"bindings": [
{
"members": [
"group:[email protected]",
"projectEditor:k8s-staging-provider-openstack",
"projectOwner:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketOwner"
},
{
"members": [
"projectViewer:k8s-staging-provider-openstack"
],
"role": "roles/storage.legacyBucketReader"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/storage.legacyBucketWriter"
},
{
"members": [
"group:[email protected]",
"group:[email protected]"
],
"role": "roles/storage.objectAdmin"
},
{
"members": [
"allUsers"
],
"role": "roles/storage.objectViewer"
}
]
}
1 change: 1 addition & 0 deletions ...rojects/k8s-staging-provider-openstack/buckets/k8s-staging-provider-openstack/logging.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
gs://k8s-staging-provider-openstack/ has no logging configuration.
11 changes: 11 additions & 0 deletions audit/projects/k8s-staging-provider-openstack/description.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"createTime": "2021-02-15T15:12:50.913Z",
"lifecycleState": "ACTIVE",
"name": "k8s-staging-provider-openstack",
"parent": {
"id": "758905017065",
"type": "organization"
},
"projectId": "k8s-staging-provider-openstack",
"projectNumber": "625174557286"
}
68 changes: 68 additions & 0 deletions audit/projects/k8s-staging-provider-openstack/iam.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
{
"bindings": [
{
"members": [
"serviceAccount:[email protected]",
"serviceAccount:[email protected]",
"serviceAccount:[email protected]"
],
"role": "roles/cloudbuild.builds.builder"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/cloudbuild.builds.editor"
},
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/cloudbuild.serviceAgent"
},
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/containeranalysis.ServiceAgent"
},
{
"members": [
"serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com"
],
"role": "roles/containeranalysis.occurrences.viewer"
},
{
"members": [
"serviceAccount:[email protected]"
],
"role": "roles/containerregistry.ServiceAgent"
},
{
"members": [
"serviceAccount:service-625174557286@gcp-sa-containerscanning.iam.gserviceaccount.com"
],
"role": "roles/containerscanning.ServiceAgent"
},
{
"members": [
"user:[email protected]"
],
"role": "roles/owner"
},
{
"members": [
"group:[email protected]"
],
"role": "roles/serviceusage.serviceUsageConsumer"
},
{
"members": [
"group:[email protected]",
"group:[email protected]"
],
"role": "roles/viewer"
}
],
"version": 1
}
11 changes: 11 additions & 0 deletions audit/projects/k8s-staging-provider-openstack/services/enabled.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
NAME TITLE
cloudbuild.googleapis.com Cloud Build API
cloudkms.googleapis.com Cloud Key Management Service (KMS) API
containeranalysis.googleapis.com Container Analysis API
containerregistry.googleapis.com Container Registry API
containerscanning.googleapis.com Container Scanning API
logging.googleapis.com Cloud Logging API
pubsub.googleapis.com Cloud Pub/Sub API
secretmanager.googleapis.com Secret Manager API
storage-api.googleapis.com Google Cloud Storage JSON API
storage-component.googleapis.com Cloud Storage