Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable ondemand scanning role to kustomize SA #3017

Merged
merged 1 commit into from
Nov 3, 2021
Merged

Enable ondemand scanning role to kustomize SA #3017

merged 1 commit into from
Nov 3, 2021

Conversation

yuwenma
Copy link
Contributor

@yuwenma yuwenma commented Nov 2, 2021

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 2, 2021
@yuwenma yuwenma mentioned this pull request Nov 2, 2021
Closed
@k8s-ci-robot k8s-ci-robot added the area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ label Nov 2, 2021
@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Nov 2, 2021
@yuwenma yuwenma force-pushed the kustomize-cve-scanning branch from 7c86ed1 to 0f4564d Compare November 2, 2021 19:27
@natasha41575
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 2, 2021
@natasha41575 natasha41575 removed their assignment Nov 2, 2021
spiffxp
spiffxp suggested changes Nov 2, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't do what you expect, because the service isn't enabled. We explicitly disabled vulnerability scanning across the board a while back (ref: #1963)

See staging_special_case_services__k8s_staging_sig_storage for an example of enabling services specifically for a single project.

We disable anything that's not explicitly specified, so if ondemandscanning.googleapis.com implicitly enables/requires other services, those will need to be enabled too.

Who are the results of these scans visible to?

infra/gcp/bash/ensure-staging-storage.sh Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 2, 2021
@yuwenma
Copy link
Contributor Author

yuwenma commented Nov 2, 2021

This won't do what you expect, because the service isn't enabled. We explicitly disabled vulnerability scanning across the board a while back (ref: #1963)

See staging_special_case_services__k8s_staging_sig_storage for an example of enabling services specifically for a single project.

We disable anything that's not explicitly specified, so if ondemandscanning.googleapis.com implicitly enables/requires other services, those will need to be enabled too.

Who are the results of these scans visible to?

Right, we need to enable the API (I noted that in the orignal PR) which I don't have permission to do. This PR is step 2, which enables the SA who runs the scanning check.

Understood the vulnerability scanning is no longer free. IIUC, the SA ([email protected]) I enabled is specifcally for kustomize. Do we have any concerns to support paid vulnerability checks for kustomize?

"Who are the results of these scans visible to?" Good question, we are preparing LTS kustomize versions for Cloud Deploy. If we can add CVE check, Cloud Deploy would have visibility and then it can show that to its customers. If paid vulnerability check is not support, we'll then have to find other approaches.

@natasha41575
Copy link
Contributor

natasha41575 commented Nov 2, 2021
edited
Loading

See staging_special_case_services__k8s_staging_sig_storage for an example of enabling services specifically for a single project.

IIUC we can create a function staging_special_case_services__k8s_staging_kustomize to enable the API ondemandscanning.googleapis.com. Is that correct?

@yuwenma yuwenma requested a review from spiffxp November 2, 2021 21:19
@spiffxp
Copy link
Member

spiffxp commented Nov 2, 2021

Yeah do that and we'll enable the api for this project via that. We'll keep an eye on cost, I suspect this will be low traffic enough to not matter

@yuwenma
Copy link
Contributor Author

yuwenma commented Nov 3, 2021

Oh I see what you mean. Thanks @spiffxp and @natasha41575. PTAL.

@yuwenma yuwenma force-pushed the kustomize-cve-scanning branch from 6d1282c to 1c70b36 Compare November 3, 2021 01:17
@yuwenma yuwenma force-pushed the kustomize-cve-scanning branch from 1c70b36 to 16a4130 Compare November 3, 2021 01:18
spiffxp
spiffxp approved these changes Nov 3, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 3, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp, yuwenma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 3, 2021
@k8s-ci-robot k8s-ci-robot merged commit 77ebe4f into kubernetes:main Nov 3, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Nov 3, 2021
@spiffxp
Copy link
Member

spiffxp commented Nov 3, 2021 

$ ./ensure-staging-storage.sh kustomize
Ensuring staging projects...
Configuring staging project: k8s-staging-kustomize
  Ensuring project exists: k8s-staging-kustomize
  Ensuring [email protected] are project viewers
  Ensuring necessary enabled services staging project: k8s-staging-kustomize
  plan to enable/disable the following services
  to_enable:
    - ondemandscanning.googleapis.com
  to_disable: []
  Operation "operations/acf.p2-660796270509-62506e3b-deb5-4f37-92fc-9f50e45e2568" finished successfully.
  @@ -13,6 +13,7 @@ enabled:
     - cloudkms.googleapis.com
     - containerregistry.googleapis.com
     - logging.googleapis.com
  +  - ondemandscanning.googleapis.com
     - pubsub.googleapis.com
     - secretmanager.googleapis.com
     - storage-api.googleapis.com
  @@ -27,6 +28,5 @@ expected:
     - secretmanager.googleapis.com
     - storage-api.googleapis.com
     - storage-component.googleapis.com
  -to_enable:
  -  - ondemandscanning.googleapis.com
  +to_enable: []
   to_disable: []
  Ensuring disabled services for staging project: k8s-staging-kustomize
  Ensuring containeranalysis service agent binding removed for staging project: k8s-staging-kustomize
  Ensuring serviceAccount:k8s-infra-gcr-vuln-scanning@k8s-artifacts-prod.iam.gserviceaccount.com can view vulnernability scanning results for project: k8s-staging-kustomize
  Ensuring staging GCR repo: gcr.io/k8s-staging-kustomize
    Ensuring a GCR repo exists for project: k8s-staging-kustomize
    Ensuring [email protected] can write to GCR for project: k8s-staging-kustomize
    Ensuring GCR admins can admin GCR for project: k8s-staging-kustomize
    Ensuring GCS access logs enabled for GCR bucket in project: k8s-staging-kustomize
    Enabling logging on gs://artifacts.k8s-staging-kustomize.appspot.com/...
  Ensuring staging GCS bucket: gs://k8s-staging-kustomize
    Ensuring gs://k8s-staging-kustomize exists and is world readable in project: k8s-staging-kustomize
    Ensuring gs://k8s-staging-kustomize has auto-deletion of 60 days
    Ensuring GCS admins can admin gs://k8s-staging-kustomize in project: k8s-staging-kustomize
    Ensuring [email protected] can write to gs://k8s-staging-kustomize in project: k8s-staging-kustomize
    Ensuring GCS access logs enabled for gs://k8s-staging-kustomize in project: k8s-staging-kustomize
    Enabling logging on gs://k8s-staging-kustomize/...
  Ensuring staging GCB
    Ensuring staging bucket: gs://k8s-staging-kustomize-gcb
      Ensuring gs://k8s-staging-kustomize-gcb exists and is world readable in project: k8s-staging-kustomize
      Ensuring gs://k8s-staging-kustomize-gcb has auto-deletion of 60 days
      Ensuring GCS admins can admin gs://k8s-staging-kustomize-gcb in project: k8s-staging-kustomize
      Ensuring [email protected] can write to gs://k8s-staging-kustomize-gcb in project: k8s-staging-kustomize
    Ensuring [email protected] can use GCB in project: k8s-staging-kustomize
    Ensuring [email protected] can use GCB in project: k8s-staging-kustomize
  Ensuring special case configuration for k8s-staging-kustomize
  Updated IAM policy for project [k8s-staging-kustomize].
  @@ -14,6 +14,8 @@
     role: roles/cloudbuild.builds.builder
   - member: serviceAccount:[email protected]
     role: roles/cloudkms.cryptoKeyDecrypter
  +- member: serviceAccount:[email protected]
  +  role: roles/ondemandscanning.admin
   - member: serviceAccount:[email protected]
     role: roles/secretmanager.secretAccessor
   - member: serviceAccount:[email protected]
Configuring special cases for Release Managers
  Empowering [email protected] as project viewers in k8s-staging-experimental
  Empowering [email protected] as project viewers in k8s-staging-kubernetes
  Empowering kubernetes-release-test GCB service account to admin GCR
  Empowering [email protected] as project viewers in k8s-staging-releng
Done

@yuwenma
Copy link
Contributor Author

yuwenma commented Nov 3, 2021

Thank you @spiffxp Aaron!

@spiffxp spiffxp mentioned this pull request Nov 4, 2021
Merged
@yuwenma yuwenma mentioned this pull request Nov 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@natasha41575 natasha41575 natasha41575 left review comments

@spiffxp spiffxp spiffxp approved these changes

@thockin thockin Awaiting requested review from thockin

Assignees

@spiffxp spiffxp

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
4 participants
@yuwenma @natasha41575 @spiffxp @k8s-ci-robot