audit: update as of 2021-07-14

cncf-ci · cncf-ci · commit be946403fd1b · 2021-07-14T02:37:22.000Z
diff --git a/audit/projects/k8s-artifacts-prod/services/logging/logs.json b/audit/projects/k8s-artifacts-prod/services/logging/logs.json
@@ -1,7 +1,5 @@
 [
   "projects/k8s-artifacts-prod/logs/cip-audit-log",
-  "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity",
-  "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event",
   "projects/k8s-artifacts-prod/logs/requests",
   "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests",
   "projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr"
diff --git a/audit/projects/k8s-cip-test-prod/services/logging/logs.json b/audit/projects/k8s-cip-test-prod/services/logging/logs.json
@@ -1,4 +1,3 @@
 [
-  "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity",
   "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"
 ]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/lifecycle.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/lifecycle.json
@@ -0,0 +1 @@
+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-asia"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-asia/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev-asia/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev-asia/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
-	Lifecycle configuration:	None
+	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Mon, 31 Aug 2020 23:11:19 GMT
-	Time updated:			Mon, 31 Aug 2020 23:11:44 GMT
-	Metageneration:			11
+	Time updated:			Tue, 13 Jul 2021 23:19:28 GMT
+	Metageneration:			17
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/lifecycle.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/lifecycle.json
@@ -0,0 +1 @@
+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-eu"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev-eu/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev-eu/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev-eu/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
-	Lifecycle configuration:	None
+	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Mon, 31 Aug 2020 23:11:48 GMT
-	Time updated:			Mon, 31 Aug 2020 23:12:12 GMT
-	Metageneration:			11
+	Time updated:			Tue, 13 Jul 2021 23:20:14 GMT
+	Metageneration:			17
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/iam.json b/audit/projects/k8s-release/buckets/k8s-release-dev/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -18,15 +19,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/logging.json b/audit/projects/k8s-release/buckets/k8s-release-dev/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-dev/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-dev/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-dev/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
 	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Tue, 04 Aug 2020 20:14:09 GMT
-	Time updated:			Mon, 31 Aug 2020 23:12:43 GMT
-	Metageneration:			14
+	Time updated:			Tue, 13 Jul 2021 23:18:45 GMT
+	Metageneration:			19
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/iam.json b/audit/projects/k8s-release/buckets/k8s-release-pull/iam.json
@@ -3,6 +3,7 @@
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
@@ -19,15 +20,18 @@
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
     {
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-prow-oncall@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
         "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:pr-kubekins@kubernetes-jenkins-pull.iam.gserviceaccount.com",
         "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com",
         "serviceAccount:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com"
       ],
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/logging.json b/audit/projects/k8s-release/buckets/k8s-release-pull/logging.json
@@ -0,0 +1 @@
+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-pull"}
diff --git a/audit/projects/k8s-release/buckets/k8s-release-pull/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release-pull/metadata.txt
@@ -3,16 +3,16 @@ gs://k8s-release-pull/ :
 	Location type:			multi-region
 	Location constraint:		US
 	Versioning enabled:		None
-	Logging configuration:		None
+	Logging configuration:		Present
 	Website configuration:		None
 	CORS configuration: 		None
 	Lifecycle configuration:	Present
 	Requester Pays enabled:		None
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Tue, 04 Aug 2020 20:14:16 GMT
-	Time updated:			Fri, 08 Jan 2021 21:10:11 GMT
-	Metageneration:			15
+	Time updated:			Tue, 13 Jul 2021 23:20:59 GMT
+	Metageneration:			20
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/buckets/k8s-release/iam.json b/audit/projects/k8s-release/buckets/k8s-release/iam.json
@@ -10,7 +10,8 @@
     },
     {
       "members": [
-        "projectViewer:k8s-release"
+        "projectViewer:k8s-release",
+        "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.legacyBucketReader"
     },
@@ -25,7 +26,8 @@
       "members": [
         "group:k8s-infra-artifact-admins@kubernetes.io",
         "group:k8s-infra-release-admins@kubernetes.io",
-        "group:k8s-infra-release-editors@kubernetes.io"
+        "group:k8s-infra-release-editors@kubernetes.io",
+        "serviceAccount:project-304687256732@storage-transfer-service.iam.gserviceaccount.com"
       ],
       "role": "roles/storage.objectAdmin"
     },
diff --git a/audit/projects/k8s-release/buckets/k8s-release/metadata.txt b/audit/projects/k8s-release/buckets/k8s-release/metadata.txt
@@ -11,8 +11,8 @@ gs://k8s-release/ :
 	Labels:				None
 	Default KMS key:		None
 	Time created:			Fri, 07 Aug 2020 20:50:17 GMT
-	Time updated:			Fri, 07 Aug 2020 20:50:37 GMT
-	Metageneration:			9
+	Time updated:			Fri, 09 Jul 2021 20:06:14 GMT
+	Metageneration:			10
 	Bucket Policy Only enabled:	True
 	ACL:				[]
 	Default ACL:			[]
diff --git a/audit/projects/k8s-release/iam.json b/audit/projects/k8s-release/iam.json
@@ -50,6 +50,12 @@
       ],
       "role": "roles/editor"
     },
+    {
+      "members": [
+        "serviceAccount:cloud-ingest-dcp@cloud-ingest-prod.iam.gserviceaccount.com"
+      ],
+      "role": "roles/pubsub.editor"
+    },
     {
       "members": [
         "group:k8s-infra-release-admins@kubernetes.io",
diff --git a/audit/projects/k8s-release/services/logging/logs.json b/audit/projects/k8s-release/services/logging/logs.json
@@ -1 +1,3 @@
-[]
+[
+  "projects/k8s-release/logs/cloudaudit.googleapis.com%2Factivity"
+]
diff --git a/audit/projects/k8s-releng-prod/buckets/artifacts.k8s-releng-prod.appspot.com/iam.json b/audit/projects/k8s-releng-prod/buckets/artifacts.k8s-releng-prod.appspot.com/iam.json
@@ -0,0 +1,39 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "projectEditor:k8s-releng-prod",
+        "projectOwner:k8s-releng-prod"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:k8s-releng-prod"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-release-admins@kubernetes.io",
+        "group:k8s-infra-release-editors@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-release-admins@kubernetes.io",
+        "group:k8s-infra-release-editors@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "allUsers"
+      ],
+      "role": "roles/storage.objectViewer"
+    }
+  ]
+}
diff --git a/audit/projects/k8s-releng-prod/buckets/artifacts.k8s-releng-prod.appspot.com/metadata.txt b/audit/projects/k8s-releng-prod/buckets/artifacts.k8s-releng-prod.appspot.com/metadata.txt
@@ -0,0 +1,18 @@
+gs://artifacts.k8s-releng-prod.appspot.com/ :
+	Storage class:			STANDARD
+	Location type:			multi-region
+	Location constraint:		US
+	Versioning enabled:		None
+	Logging configuration:		None
+	Website configuration:		None
+	CORS configuration: 		None
+	Lifecycle configuration:	None
+	Requester Pays enabled:		None
+	Labels:				None
+	Default KMS key:		None
+	Time created:			Tue, 13 Jul 2021 23:05:15 GMT
+	Time updated:			Tue, 13 Jul 2021 23:05:58 GMT
+	Metageneration:			9
+	Bucket Policy Only enabled:	True
+	ACL:				[]
+	Default ACL:			[]
diff --git a/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod-gcb/iam.json b/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod-gcb/iam.json
@@ -0,0 +1,46 @@
+{
+  "bindings": [
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "projectEditor:k8s-releng-prod",
+        "projectOwner:k8s-releng-prod"
+      ],
+      "role": "roles/storage.legacyBucketOwner"
+    },
+    {
+      "members": [
+        "projectViewer:k8s-releng-prod"
+      ],
+      "role": "roles/storage.legacyBucketReader"
+    },
+    {
+      "members": [
+        "group:k8s-infra-release-admins@kubernetes.io",
+        "group:k8s-infra-release-editors@kubernetes.io"
+      ],
+      "role": "roles/storage.legacyBucketWriter"
+    },
+    {
+      "members": [
+        "group:k8s-infra-artifact-admins@kubernetes.io",
+        "group:k8s-infra-release-admins@kubernetes.io",
+        "group:k8s-infra-release-editors@kubernetes.io"
+      ],
+      "role": "roles/storage.objectAdmin"
+    },
+    {
+      "members": [
+        "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+      ],
+      "role": "roles/storage.objectCreator"
+    },
+    {
+      "members": [
+        "allUsers",
+        "serviceAccount:gcb-builder@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
+      ],
+      "role": "roles/storage.objectViewer"
+    }
+  ]
+}
diff --git a/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod-gcb/metadata.txt b/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod-gcb/metadata.txt
@@ -0,0 +1,18 @@
+gs://k8s-releng-prod-gcb/ :
+	Storage class:			STANDARD
+	Location type:			multi-region
+	Location constraint:		US
+	Versioning enabled:		None
+	Logging configuration:		None
+	Website configuration:		None
+	CORS configuration: 		None
+	Lifecycle configuration:	None
+	Requester Pays enabled:		None
+	Labels:				None
+	Default KMS key:		None
+	Time created:			Tue, 13 Jul 2021 23:06:37 GMT
+	Time updated:			Tue, 13 Jul 2021 23:07:33 GMT
+	Metageneration:			11
+	Bucket Policy Only enabled:	True
+	ACL:				[]
+	Default ACL:			[]
diff --git a/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod/iam.json b/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod/iam.json
diff --git a/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod/metadata.txt b/audit/projects/k8s-releng-prod/buckets/k8s-releng-prod/metadata.txt
diff --git a/audit/projects/k8s-releng-prod/iam.json b/audit/projects/k8s-releng-prod/iam.json
diff --git a/audit/projects/k8s-releng-prod/services/enabled.txt b/audit/projects/k8s-releng-prod/services/enabled.txt
diff --git a/audit/projects/k8s-releng-prod/services/logging/logs.json b/audit/projects/k8s-releng-prod/services/logging/logs.json
diff --git a/audit/projects/k8s-releng-prod/services/logging/sinks.json b/audit/projects/k8s-releng-prod/services/logging/sinks.json
diff --git a/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json b/audit/projects/k8s-staging-cluster-api-gcp/services/logging/logs.json
diff --git a/audit/projects/kubernetes-public/iam.json b/audit/projects/kubernetes-public/iam.json
diff --git a/audit/projects/kubernetes-public/services/container/clusters/aaa.json b/audit/projects/kubernetes-public/services/container/clusters/aaa.json

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,5 @@`
`1`	`1`	`[`
`2`	`2`	`"projects/k8s-artifacts-prod/logs/cip-audit-log",`
`3`		`- "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Factivity",`
`4`		`- "projects/k8s-artifacts-prod/logs/cloudaudit.googleapis.com%2Fsystem_event",`
`5`	`3`	`"projects/k8s-artifacts-prod/logs/requests",`
`6`	`4`	`"projects/k8s-artifacts-prod/logs/run.googleapis.com%2Frequests",`
`7`	`5`	`"projects/k8s-artifacts-prod/logs/run.googleapis.com%2Fstderr"`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`[`
`2`		`- "projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Factivity",`
`3`	`2`	`"projects/k8s-cip-test-prod/logs/cloudaudit.googleapis.com%2Fsystem_event"`
`4`	`3`	`]`
-Original file line number
+Diff line change
+    {
       "members": [
         "group:[email protected]",
 +        "group:[email protected]",
         "projectEditor:k8s-release",
         "projectOwner:k8s-release"
       ],
       "members": [
         "group:[email protected]",
         "group:[email protected]",
 +        "serviceAccount:[email protected]",
         "serviceAccount:[email protected]"
       ],
       "role": "roles/storage.legacyBucketWriter"
     },
+    {
       "members": [
         "group:[email protected]",
 +        "group:[email protected]",
         "group:[email protected]",
         "group:[email protected]",
 +        "serviceAccount:[email protected]",
         "serviceAccount:[email protected]"
       ],
       "role": "roles/storage.objectAdmin"
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 90}}]}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"logBucket": "k8s-infra-artifacts-gcslogs", "logObjectPrefix": "k8s-release-dev-asia"}`