diff --git a/audit/projects/k8s-artifacts-prod-bak/services/compute/project-info.json b/audit/projects/k8s-artifacts-prod-bak/services/compute/project-info.json index c0517dcbf4d..d2386a8ed3b 100644 --- a/audit/projects/k8s-artifacts-prod-bak/services/compute/project-info.json +++ b/audit/projects/k8s-artifacts-prod-bak/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/bucketpolicyonly.txt b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/bucketpolicyonly.txt deleted file mode 100644 index 1bef307b464..00000000000 --- a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/bucketpolicyonly.txt +++ /dev/null @@ -1,4 +0,0 @@ -Bucket Policy Only setting for gs://k8s-artifacts-prod-vuln-dashboard: - Enabled: True - LockedTime: 2020-11-10 20:06:45.035000+00:00 - diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/cors.txt b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/cors.txt deleted file mode 100644 index 00bb6596917..00000000000 --- a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/cors.txt +++ /dev/null @@ -1 +0,0 @@ -gs://k8s-artifacts-prod-vuln-dashboard/ has no CORS configuration. diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/logging.txt b/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/logging.txt deleted file mode 100644 index 143f3380eb6..00000000000 --- a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/logging.txt +++ /dev/null @@ -1 +0,0 @@ -gs://k8s-artifacts-prod-vuln-dashboard/ has no logging configuration. diff --git a/audit/projects/k8s-artifacts-prod/iam.json b/audit/projects/k8s-artifacts-prod/iam.json index 93c6c2bf52e..82a02939907 100644 --- a/audit/projects/k8s-artifacts-prod/iam.json +++ b/audit/projects/k8s-artifacts-prod/iam.json @@ -42,7 +42,7 @@ }, { "members": [ - "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com" + "deleted:serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com?uid=111422293292441494221" ], "role": "roles/errorreporting.writer" }, @@ -54,7 +54,7 @@ }, { "members": [ - "serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com" + "deleted:serviceAccount:k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com?uid=111422293292441494221" ], "role": "roles/logging.logWriter" }, diff --git a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json deleted file mode 100644 index ed9afb0614d..00000000000 --- a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/description.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "displayName": "k8s-infra container image auditor", - "email": "k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", - "name": "projects/k8s-artifacts-prod/serviceAccounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com", - "oauth2ClientId": "111422293292441494221", - "projectId": "k8s-artifacts-prod", - "uniqueId": "111422293292441494221" -} diff --git a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json deleted file mode 100644 index cbc2f350095..00000000000 --- a/audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "bindings": [ - { - "members": [ - "group:k8s-infra-artifact-admins@kubernetes.io" - ], - "role": "roles/iam.serviceAccountUser" - } - ], - "version": 1 -} diff --git a/audit/projects/k8s-artifacts-prod/services/compute/project-info.json b/audit/projects/k8s-artifacts-prod/services/compute/project-info.json index e0858e1c682..241831f72a1 100644 --- a/audit/projects/k8s-artifacts-prod/services/compute/project-info.json +++ b/audit/projects/k8s-artifacts-prod/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-cip-test-prod/services/compute/project-info.json b/audit/projects/k8s-cip-test-prod/services/compute/project-info.json index a00135cac00..0ee026c17e0 100644 --- a/audit/projects/k8s-cip-test-prod/services/compute/project-info.json +++ b/audit/projects/k8s-cip-test-prod/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-conform/buckets/k8s-conform-inspur/iam.json b/audit/projects/k8s-conform/buckets/k8s-conform-inspur/iam.json index 87e982e7c46..e8b3d48047f 100644 --- a/audit/projects/k8s-conform/buckets/k8s-conform-inspur/iam.json +++ b/audit/projects/k8s-conform/buckets/k8s-conform-inspur/iam.json @@ -16,7 +16,16 @@ }, { "members": [ - "group:k8s-infra-artifact-admins@kubernetes.io" + "group:k8s-infra-conform-inspur@kubernetes.io", + "serviceAccount:service-inspur@k8s-conform.iam.gserviceaccount.com" + ], + "role": "roles/storage.legacyBucketWriter" + }, + { + "members": [ + "group:k8s-infra-artifact-admins@kubernetes.io", + "group:k8s-infra-conform-inspur@kubernetes.io", + "serviceAccount:service-inspur@k8s-conform.iam.gserviceaccount.com" ], "role": "roles/storage.objectAdmin" }, diff --git a/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/bucketpolicyonly.txt b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/bucketpolicyonly.txt new file mode 100644 index 00000000000..de37a47dae4 --- /dev/null +++ b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/bucketpolicyonly.txt @@ -0,0 +1,4 @@ +Bucket Policy Only setting for gs://k8s-conform-provider-openstack: + Enabled: True + LockedTime: 2021-05-16 15:12:16.571000+00:00 + diff --git a/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/cors.txt b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/cors.txt new file mode 100644 index 00000000000..4f17a01a96e --- /dev/null +++ b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/cors.txt @@ -0,0 +1 @@ +gs://k8s-conform-provider-openstack/ has no CORS configuration. diff --git a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/iam.json b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/iam.json similarity index 58% rename from audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/iam.json rename to audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/iam.json index 605ba04f247..f6644951025 100644 --- a/audit/projects/k8s-artifacts-prod/buckets/k8s-artifacts-prod-vuln-dashboard/iam.json +++ b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/iam.json @@ -3,27 +3,29 @@ { "members": [ "group:k8s-infra-artifact-admins@kubernetes.io", - "projectEditor:k8s-artifacts-prod", - "projectOwner:k8s-artifacts-prod" + "projectEditor:k8s-conform", + "projectOwner:k8s-conform" ], "role": "roles/storage.legacyBucketOwner" }, { "members": [ - "projectViewer:k8s-artifacts-prod" + "projectViewer:k8s-conform" ], "role": "roles/storage.legacyBucketReader" }, { "members": [ - "serviceAccount:k8s-infra-gcr-vuln-dashboard@k8s-artifacts-prod.iam.gserviceaccount.com" + "group:k8s-infra-conform-provider-openstack@kubernetes.io", + "serviceAccount:service-provider-openstack@k8s-conform.iam.gserviceaccount.com" ], "role": "roles/storage.legacyBucketWriter" }, { "members": [ "group:k8s-infra-artifact-admins@kubernetes.io", - "serviceAccount:k8s-infra-gcr-vuln-dashboard@k8s-artifacts-prod.iam.gserviceaccount.com" + "group:k8s-infra-conform-provider-openstack@kubernetes.io", + "serviceAccount:service-provider-openstack@k8s-conform.iam.gserviceaccount.com" ], "role": "roles/storage.objectAdmin" }, diff --git a/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/logging.txt b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/logging.txt new file mode 100644 index 00000000000..be31af9bbcd --- /dev/null +++ b/audit/projects/k8s-conform/buckets/k8s-conform-provider-openstack/logging.txt @@ -0,0 +1 @@ +gs://k8s-conform-provider-openstack/ has no logging configuration. diff --git a/audit/projects/k8s-conform/secrets/service-inspur-key/description.json b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json new file mode 100644 index 00000000000..343e01a5b94 --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-inspur-key/description.json @@ -0,0 +1,7 @@ +{ + "createTime": "2021-02-23T06:37:04.961097Z", + "name": "projects/228988630781/secrets/service-inspur-key", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/k8s-conform/secrets/service-inspur-key/iam.json b/audit/projects/k8s-conform/secrets/service-inspur-key/iam.json new file mode 100644 index 00000000000..5b8daf2a081 --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-inspur-key/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-conform-inspur@kubernetes.io" + ], + "role": "roles/secretmanager.secretAccessor" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-conform/secrets/service-inspur-key/versions.json b/audit/projects/k8s-conform/secrets/service-inspur-key/versions.json new file mode 100644 index 00000000000..d80a0b98635 --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-inspur-key/versions.json @@ -0,0 +1,10 @@ +[ + { + "createTime": "2021-02-23T06:37:06.236110Z", + "name": "projects/228988630781/secrets/service-inspur-key/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + } +] diff --git a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json new file mode 100644 index 00000000000..fa19d6025c3 --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/description.json @@ -0,0 +1,7 @@ +{ + "createTime": "2021-02-15T15:18:08.840992Z", + "name": "projects/228988630781/secrets/service-provider-openstack-key", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/iam.json b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/iam.json new file mode 100644 index 00000000000..52260ba6b4b --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-conform-provider-openstack@kubernetes.io" + ], + "role": "roles/secretmanager.secretAccessor" + } + ], + "version": 1 +} diff --git a/audit/projects/k8s-conform/secrets/service-provider-openstack-key/versions.json b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/versions.json new file mode 100644 index 00000000000..103f0db6769 --- /dev/null +++ b/audit/projects/k8s-conform/secrets/service-provider-openstack-key/versions.json @@ -0,0 +1,10 @@ +[ + { + "createTime": "2021-02-15T15:18:09.874889Z", + "name": "projects/228988630781/secrets/service-provider-openstack-key/versions/1", + "replicationStatus": { + "automatic": {} + }, + "state": "ENABLED" + } +] diff --git a/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/description.json b/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/description.json new file mode 100644 index 00000000000..f064fdd43b6 --- /dev/null +++ b/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "displayName": "service-inspur", + "email": "service-inspur@k8s-conform.iam.gserviceaccount.com", + "name": "projects/k8s-conform/serviceAccounts/service-inspur@k8s-conform.iam.gserviceaccount.com", + "oauth2ClientId": "114293481682780084349", + "projectId": "k8s-conform", + "uniqueId": "114293481682780084349" +} diff --git a/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/iam.json new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/audit/projects/k8s-conform/service-accounts/service-inspur@k8s-conform.iam.gserviceaccount.com/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/description.json b/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/description.json new file mode 100644 index 00000000000..759a2ca4f86 --- /dev/null +++ b/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/description.json @@ -0,0 +1,8 @@ +{ + "displayName": "service-provider-openstack", + "email": "service-provider-openstack@k8s-conform.iam.gserviceaccount.com", + "name": "projects/k8s-conform/serviceAccounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com", + "oauth2ClientId": "114482259319052246948", + "projectId": "k8s-conform", + "uniqueId": "114482259319052246948" +} diff --git a/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/iam.json b/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/iam.json new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/audit/projects/k8s-conform/service-accounts/service-provider-openstack@k8s-conform.iam.gserviceaccount.com/iam.json @@ -0,0 +1 @@ +{} diff --git a/audit/projects/k8s-conform/services/compute/project-info.json b/audit/projects/k8s-conform/services/compute/project-info.json index 76ed797deb7..da345b3b199 100644 --- a/audit/projects/k8s-conform/services/compute/project-info.json +++ b/audit/projects/k8s-conform/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-gcr-audit-test-prod/services/compute/project-info.json b/audit/projects/k8s-gcr-audit-test-prod/services/compute/project-info.json index 7d886aa982c..e1c0bc9f0c3 100644 --- a/audit/projects/k8s-gcr-audit-test-prod/services/compute/project-info.json +++ b/audit/projects/k8s-gcr-audit-test-prod/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-gcr-backup-test-prod-bak/services/compute/project-info.json b/audit/projects/k8s-gcr-backup-test-prod-bak/services/compute/project-info.json index 61f4bce5f01..e66082dcb7a 100644 --- a/audit/projects/k8s-gcr-backup-test-prod-bak/services/compute/project-info.json +++ b/audit/projects/k8s-gcr-backup-test-prod-bak/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/k8s-release-test-prod/services/compute/project-info.json b/audit/projects/k8s-release-test-prod/services/compute/project-info.json index 0299ddb4c77..6385f6fb41b 100644 --- a/audit/projects/k8s-release-test-prod/services/compute/project-info.json +++ b/audit/projects/k8s-release-test-prod/services/compute/project-info.json @@ -113,6 +113,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json index e85ee219a3c..135096b0b6b 100644 --- a/audit/projects/kubernetes-public/iam.json +++ b/audit/projects/kubernetes-public/iam.json @@ -122,6 +122,7 @@ "members": [ "user:domain-admin-lf@kubernetes.io", "user:ihor@cncf.io", + "user:psharma@linuxfoundation.org", "user:thockin@google.com" ], "role": "roles/owner" diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json new file mode 100644 index 00000000000..0357d279923 --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/description.json @@ -0,0 +1,10 @@ +{ + "createTime": "2021-02-23T23:53:36.776896Z", + "labels": { + "app": "slack-infra" + }, + "name": "projects/127754664067/secrets/slack-moderator-words-config", + "replication": { + "automatic": {} + } +} diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/iam.json b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/iam.json new file mode 100644 index 00000000000..e7b65abc9b8 --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/iam.json @@ -0,0 +1,11 @@ +{ + "bindings": [ + { + "members": [ + "group:k8s-infra-rbac-slack-infra@kubernetes.io" + ], + "role": "roles/secretmanager.admin" + } + ], + "version": 1 +} diff --git a/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/versions.json b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/versions.json new file mode 100644 index 00000000000..fe51488c706 --- /dev/null +++ b/audit/projects/kubernetes-public/secrets/slack-moderator-words-config/versions.json @@ -0,0 +1 @@ +[] diff --git a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json index 72b529369c2..3fbfbe0b0c8 100644 --- a/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json +++ b/audit/projects/kubernetes-public/secrets/triage-party-github-token/description.json @@ -1,5 +1,8 @@ { "createTime": "2020-06-25T19:14:21.868654Z", + "labels": { + "app": "triage-party" + }, "name": "projects/127754664067/secrets/triage-party-github-token", "replication": { "automatic": {} diff --git a/audit/projects/kubernetes-public/services/compute/project-info.json b/audit/projects/kubernetes-public/services/compute/project-info.json index 13e52a5a7c5..5b8d8b87e36 100644 --- a/audit/projects/kubernetes-public/services/compute/project-info.json +++ b/audit/projects/kubernetes-public/services/compute/project-info.json @@ -123,6 +123,10 @@ "limit": 200, "metric": "SECURITY_POLICY_RULES" }, + { + "limit": 1000, + "metric": "XPN_SERVICE_PROJECTS" + }, { "limit": 150, "metric": "PACKET_MIRRORINGS" diff --git a/audit/projects/kubernetes-public/services/container/clusters.txt b/audit/projects/kubernetes-public/services/container/clusters.txt index b5398489de0..dea6658fa0c 100644 --- a/audit/projects/kubernetes-public/services/container/clusters.txt +++ b/audit/projects/kubernetes-public/services/container/clusters.txt @@ -1 +1 @@ -aaa us-central1 us-central1-c;us-central1-a;us-central1-f 6 RUNNING +aaa us-central1 us-central1-c;us-central1-a;us-central1-f 7 RUNNING diff --git a/audit/projects/kubernetes-public/services/dns/info.json b/audit/projects/kubernetes-public/services/dns/info.json index e5db729d3b4..791d82f6126 100644 --- a/audit/projects/kubernetes-public/services/dns/info.json +++ b/audit/projects/kubernetes-public/services/dns/info.json @@ -4,7 +4,6 @@ "number": "127754664067", "quota": { "dnsKeysPerManagedZone": 4, - "gkeClustersPerPolicy": 100, "kind": "dns#quota", "managedZones": 10000, "managedZonesPerNetwork": 10000,