ensure-organization.sh followup #1737
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
spiffxp
force-pushed
the
ensure-organization-followup
branch
2 times, most recently
from
b58b175 to
018013a
Compare
| # not actually sure why this account is necessary but here we are | ||
| title: Secret Account Lister | ||
| description: Can list ServiceAccounts | ||
| name: iam.serviceAccountLister |
There was a problem hiding this comment.
This is is identical to the Role defined above in infra/gcp/roles/iam.serviceAccountLister.yaml ?? Why do we have both?
There was a problem hiding this comment.
so I agree, it's silly in this case to have two files that look identical
but the idea is to consistently follow the pattern of:
- custom roles are defined via a (custom) spec
- specs generate concrete roles
- custom role definitions are checked in to git (so we know when custom roles get new permissions)
- then those get applied
this lets us apply common defaults, and moves us toward a model of "write a spec, have something else apply it"
we can skip the "check in concrete roles" step and go straight to applying, but at the moment I find it useful to have them checked in for diffing when regeneration picks up new p
There was a problem hiding this comment.
So the non-spec is the readback? I'm looking at the script and trying to figure out what it's doing. It mixes the spec and the result of gcloud iam roles describe. It's not clear to me when that script is run or who runs it or when.
There was a problem hiding this comment.
So the non-spec is the readback?
Yes. FWIW, these files can't be directly applied via gcloud, the name field needs munging depending on whether they're destined for project or organization. I felt like it was better not to mix that concern in here.
The script is currently run by humans (independent of the other ensure- scripts). Now that @hh has proven pr-creator to be reusable out of test-infra, the last followup item I have for #1659 is to setup prowjobs that:
- run this on postsubmit and periodically
- open PRs if something changed
- a human would review the PR
- a human would manually deploy the role change once the PR merged
- they would run
ensure-organization.shas none of these are created at the project level
The reason for mixing the spec into comments of the generated role was to be 100% clear about what spec the role was generated from (vs. "this file", "this time", "this repo", "this hash" etc... but perhaps those would be a better / more concise approach to aim for)
There was a problem hiding this comment.
What I am missing is why we check the readback in, and how that is different from the audit.
IOW, why is it more than
- Here's a spec
- Here's a script to apply the spec
- Here's a periodic script to audit the results
- Here's the last known-good audit state
If the periodic audit shows new perms, alert. I'm missing the role of the intermediate?
I trust you so I am totally willing to OK this and just grow my comprehension async to this PR
There was a problem hiding this comment.
You may be right, this could be spurious and an unnecessary extra step.
I sorta want to keep this in as an experiment and remove later if we feel it's too annoying. Reasons why:
- this might make it easier to vet audit output "here's what I absolutely expect it to be", and regenerating from primitive roles at time of audit might pick up new permissions I didn't know about last time I said "sure, refresh the role"
- it may be easier for contributors to find out "ok but what exact permissions does this role have" even if they don't have iam permissions or gcloud handy
I guess I sort of think of this as the equivalent to a terraform state file. What was the state of the world the last time I managed it. Compare that to what the state of the world is now (did something else change things?) + the changes I intend to make to the state of the world.
add more functions, use _ensure "private" helpers, try diffing results -ensure_custom_iam_role_from_file +ensure_custom_org_iam_role_from_file +ensure_custom_project_iam_role_from_file +ensure_removed_custom_org_role +ensure_removed_custom_project_role +custom_project_role_name custom_org_role_name
spiffxp
force-pushed
the
ensure-organization-followup
branch
from
018013a to
310431d
Compare
k8s-ci-robot
added
area/prow
btw @thockin do you have the context for why we needed to make this role in the first place? I haven't plumbed the depths of |
|
I do not recall exactly why it exists - I think it was to allow audits to
list SA's without modifying them and there was no fine-grained role for
that.
…On Wed, Mar 3, 2021 at 9:48 AM Aaron Crickenberger ***@***.***> wrote:
replace per-project ServiceAccountLister with org-level
iam.serviceAccountLister (though still not actually sure why this role is
necessary)
btw @thockin <https://github.com/thockin> do you have the context for why
we needed to make this role in the first place? I haven't plumbed the
depths of aaa's creation to figure that out yet
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1737 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVDYFQHMBARFQYT5JA3TBZY7JANCNFSM4YMG5HIQ>
.
|
|
If that's the case, maybe we can drop it entirely (should be subsumed by custom |
I don't have an account that's unprivileged enough to be affected by this so I don't want to try it as part of this PR, opened #1753 |
order is going to matter for rolling this out: - ensure-organization.sh to create the org-level roles - terraform apply in prow-build / prow-build-trusted - check to see if terraform removed the project-level role - ensure-main-project.sh - followup PR to remove ensure_removed calls
force all custom roles to be created from file
spiffxp
force-pushed
the
ensure-organization-followup
branch
from
07eccc2 to
3aab780
Compare
spiffxp
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
OK, looking for LGTM. I'm no longer concerned about what the audit PRs are showing, I feel comfortable enough to deploy this, but I'm not going to remove /hold until I have time. Or someone else able to deploy is welcome to. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
Related to refactoring infra/gcp, ref: #516 |
Followup to #1726, intended to fix #1659
Basically:
yqto the mix to do this)Order is going to matter for rolling this out:
There is one more custom role I am interested in creating, for the "cluster-admins" group, but I can do that in followup.