Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infra/gcp/roles: update custom org roles #2010

Merged
merged 6 commits into from
May 6, 2021
Merged

infra/gcp/roles: update custom org roles #2010

merged 6 commits into from
May 6, 2021

Conversation

spiffxp
Copy link
Member

@spiffxp spiffxp commented May 6, 2021

See individual commits for details, but the tl;dr is this should help with:

The groups change also wraps up part of #1974, specifically the part about service accounts being bound directly to their roles rather than indirectly through group membership

spiffxp added 4 commits May 5, 2021 22:33
@spiffxp
groups: remove serviceaccounts from groups
9ebc221 
the serviceaccounts are now bound directly to the appropriate roles

it seems like including a serviceaccount in a group does not always
propogate permissions correctly, so let's stop using it as a pattern
@spiffxp
infra/gcp/roles: fix regex handling
a646bf7 
Each permissionRegex is now wrapped in parentheses to become its own
group when passed to grep -E. This ensures ^ and $ characters in each
regex don't end up applying to the whole | concatenation of regexes.
@spiffxp
infra/gcp/roles: refresh roles
127d06e
@spiffxp
infra/gcp/roles: update audit.viewer
6d93372 
specifically:

- add comments explaining (or asking) why these roles/permissions
- prune spec:
  - roles/browser better captures intent and covers more than
    organizationViewer
  - roles/iam.securityReviewer covers most storage.buckets permissions
- add to spec:
  - roles/cloudasset.viewer in anticipation of using gcloud assets to
    list resources and iam roles more quickly for audit
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. wg/k8s-infra labels May 6, 2021
@k8s-ci-robot k8s-ci-robot requested review from dims and nikhita May 6, 2021 02:50
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 6, 2021
@spiffxp
infra/gcp/roles: update organization.admin
669e340 
specifically

- add comments explaining or guessing why these specific roles
- add roles/billing.creator to allow creating a budget for
  k8s-infra-ii-sandbox
- add roles/billing.costsManager because it sounds useful
- add roles/storage.admin but filter to storage.buckets.* to ensure
  org admins have break-glass access to buckets
@spiffxp
Copy link
Member Author

spiffxp commented May 6, 2021

/cc @ameukam @hh
I have run ./infra/gcp/ensure-organization.sh as part of this, so the next audit PR should pick up results

@k8s-ci-robot k8s-ci-robot requested review from ameukam and hh May 6, 2021 02:56
This was referenced May 6, 2021
Closed
Closed
Open
hasheddan
hasheddan approved these changes May 6, 2021
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 6, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hasheddan, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit a6bbfbd into kubernetes:main May 6, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 6, 2021
@spiffxp spiffxp deleted the update-roles branch May 6, 2021 14:57
@spiffxp spiffxp mentioned this pull request May 6, 2021
Merged
@spiffxp
Copy link
Member Author

spiffxp commented May 6, 2021

#2006 confirms all of the changes here, I reviewed it linking back to commits in this PR

@spiffxp spiffxp mentioned this pull request May 18, 2021
Merged
@spiffxp spiffxp mentioned this pull request May 18, 2021
Closed
@spiffxp spiffxp mentioned this pull request Jun 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hasheddan hasheddan hasheddan approved these changes

@dims dims Awaiting requested review from dims

@nikhita nikhita Awaiting requested review from nikhita

@ameukam ameukam Awaiting requested review from ameukam

@hh hh Awaiting requested review from hh

Assignees

@hasheddan hasheddan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
3 participants
@spiffxp @k8s-ci-robot @hasheddan