Merge pull request #2322 from cncf-ci/autoaudit-prow

k8s-ci-robot · web-flow · commit 7f29b8ea62ea · 2021-07-15T18:26:09.000-07:00
audit: update as of 2021-07-16
diff --git a/audit/projects/k8s-artifacts-prod/services/logging/logs.json b/audit/projects/k8s-artifacts-prod/services/logging/logs.json
@@ -1,7 +1,5 @@
 [
   "projects/k8s-artifacts-prod/logs/cip-audit-log",
-  "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity",
-  "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event",
   "projects/k8s-artifacts-prod/logs/requests",
   "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests",
   "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr"
diff --git a/audit/projects/k8s-cip-test-prod/services/logging/logs.json b/audit/projects/k8s-cip-test-prod/services/logging/logs.json
@@ -1,4 +1 @@
-[
-  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity",
-  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"
-]
+[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/lifecycle.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/lifecycle.json
@@ -0,0 +1 @@
+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-asia"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev-asia/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
-	Lifecycle configuration:	None
+	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Mon, 31 Aug 2020 23:11:19 GMT
-	Time updated:			Mon, 31 Aug 2020 23:11:44 GMT
-	Metageneration:			11
+	Time updated:			Thu, 15 Jul 2021 22:40:22 GMT
+	Metageneration:			18
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/lifecycle.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/lifecycle.json
@@ -0,0 +1 @@
+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-eu"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev-eu/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
-	Lifecycle configuration:	None
+	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Mon, 31 Aug 2020 23:11:48 GMT
-	Time updated:			Mon, 31 Aug 2020 23:12:12 GMT
-	Metageneration:			11
+	Time updated:			Thu, 15 Jul 2021 22:40:55 GMT
+	Metageneration:			18
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
 	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Tue, 04 Aug 2020 20:14:09 GMT
-	Time updated:			Mon, 31 Aug 2020 23:12:43 GMT
-	Metageneration:			14
+	Time updated:			Thu, 15 Jul 2021 22:39:48 GMT
+	Metageneration:			20
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/iam.json b/audit/projects/k8s-release/buckets/k8s-release-pull/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -19,15 +20,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/logging.json b/audit/projects/k8s-release/buckets/k8s-release-pull/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-pull"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-pull/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-pull/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
 	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Tue, 04 Aug 2020 20:14:16 GMT
-	Time updated:			Fri, 08 Jan 2021 21:10:11 GMT
-	Metageneration:			15
+	Time updated:			Thu, 15 Jul 2021 22:41:28 GMT
+	Metageneration:			21
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release/metadata.txt
@@ -11,8 +11,8 @@ gs://k8s-release/ :
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Fri, 07 Aug 2020 20:50:17 GMT
-	Time updated:			Fri, 07 Aug 2020 20:50:37 GMT
-	Metageneration:			9
+	Time updated:			Thu, 15 Jul 2021 23:25:55 GMT
+	Metageneration:			12
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/iam.json b/audit/projects/k8s-release/iam.json
@@ -38,6 +38,12 @@
       ],
       "role": "roles/containeranalysis.ServiceAgent"
     },
+    {
+      "members": [
+        "serviceAccount:service-304687256732@containerregistry.iam.gserviceaccount.com"
+      ],
+      "role": "roles/containerregistry.ServiceAgent"
+    },
     {
       "members": [
         "serviceAccount:service-304687256732@gcp-sa-containerscanning.iam.gserviceaccount.com"
diff --git a/audit/projects/k8s-release/services/enabled.txt b/audit/projects/k8s-release/services/enabled.txt
@@ -3,7 +3,6 @@ cloudbuild.googleapis.com         Cloud Build API
 cloudkms.googleapis.com           Cloud Key Management Service (KMS) API
 containeranalysis.googleapis.com  Container Analysis API
 containerregistry.googleapis.com  Container Registry API
-containerscanning.googleapis.com  Container Scanning API
 logging.googleapis.com            Cloud Logging API
 monitoring.googleapis.com         Cloud Monitoring API
 pubsub.googleapis.com             Cloud Pub/Sub API
diff --git a/audit/projects/k8s-release/services/logging/logs.json b/audit/projects/k8s-release/services/logging/logs.json
@@ -1 +1,4 @@
-[]
+[
+  "projects/k8s-release/logs/cloudaudit.googleapis.com%2Factivity",
+  "projects/k8s-release/logs/cloudaudit.googleapis.com%2Fsystem_event"
+]
diff --git a/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json b/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json
@@ -1,7 +1,6 @@
 [
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fdata_access",
-  "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fsystem_event",
   "projects/k8s-staging-cluster-api-gcp/logs/cloudbuild",
   "projects/k8s-staging-cluster-api-gcp/logs/compute.googleapis.com%2Fshielded_vm_integrity"
 ]
diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json
@@ -123,7 +123,7 @@
     },
     {
       "members": [
-        "serviceAccount:service-127754664067@serverless-robot-prod.iam.gserviceaccount.com"
+        "deleted:serviceAccount:service-127754664067@serverless-robot-prod.iam.gserviceaccount.com?uid=118182660088477675409"
       ],
       "role": "roles/run.serviceAgent"
     },
diff --git a/audit/projects/kubernetes-public/services/container/clusters/aaa.json b/audit/projects/kubernetes-public/services/container/clusters/aaa.json
@@ -37,7 +37,7 @@
   "clusterIpv4Cidr": "10.40.0.0/14",
   "createTime": "2019-09-18T23:39:24+00:00",
   "currentMasterVersion": "1.19.9-gke.1900",
-  "currentNodeVersion": "1.18.17-gke.1901 *",
+  "currentNodeVersion": "1.19.9-gke.1900",
   "databaseEncryption": {
     "state": "DECRYPTED"
   },
@@ -168,7 +168,7 @@
       "upgradeSettings": {
         "maxSurge": 1
       },
-      "version": "1.18.17-gke.1901"
+      "version": "1.19.9-gke.1900"
     },
     {
       "autoscaling": {
@@ -219,7 +219,7 @@
       "upgradeSettings": {
         "maxSurge": 1
       },
-      "version": "1.18.17-gke.1901"
+      "version": "1.19.9-gke.1900"
     }
   ],
   "releaseChannel": {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,5 @@`
`1`	`1`	`[`
`2`	`2`	`"projects/k8s-artifacts-prod/logs/cip-audit-log",`
`3`		`- "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity",`
`4`		`- "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event",`
`5`	`3`	`"projects/k8s-artifacts-prod/logs/requests",`
`6`	`4`	`"projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests",`
`7`	`5`	`"projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr"`
-Original file line number
+Diff line change
@@ @@ -1,4 +1 @@ @@
 -[
 -  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity",
 -  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"
 -]
 +[]
-Original file line number
+Diff line change
+    {
       "members": [
         "group:[email protected]",
 +        "group:[email protected]",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
       "members": [
         "group:[email protected]",
         "group:[email protected]",
 +        "serviceAccount:[email protected]",
         "serviceAccount:[email protected]"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
+    {
       "members": [
         "group:[email protected]",
 +        "group:[email protected]",
         "group:[email protected]",
         "group:[email protected]",
 +        "serviceAccount:[email protected]",
         "serviceAccount:[email protected]"
       ],
       "role": "roles/storage.objectAdmin"
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-asia"}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`[`
`2`	`2`	`"projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Factivity",`
`3`	`3`	`"projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fdata_access",`
`4`		`- "projects/k8s-staging-cluster-api-gcp/logs/cloudaudit.googleapis.com%2Fsystem_event",`
`5`	`4`	`"projects/k8s-staging-cluster-api-gcp/logs/cloudbuild",`
`6`	`5`	`"projects/k8s-staging-cluster-api-gcp/logs/compute.googleapis.com%2Fshielded_vm_integrity"`
`7`	`6`	`]`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@`
`123`	`123`	`},`
`124`	`124`	`{`
`125`	`125`	`"members": [`
`126`		`- "serviceAccount:service-127754664067@serverless-robot-prod.iam.gserviceaccount.com"`
	`126`	`+ "deleted:serviceAccount:service-127754664067@serverless-robot-prod.iam.gserviceaccount.com?uid=118182660088477675409"`
`127`	`127`	`],`
`128`	`128`	`"role": "roles/run.serviceAgent"`
`129`	`129`	`},`