audit: update as of 2021-06-30 #2234
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @cncf-ci. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
k8s-ci-robot
added
the
size/L
k8s-ci-robot
added
size/M
cncf-ci
changed the title
audit/projects/k8s-infra-prow-build/buckets/k8s-infra-scalability-tests-logs/iam.json
Outdated
Show resolved
Hide resolved
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
size/L
cncf-ci
force-pushed
the
autoaudit-prow
branch
2 times, most recently
from
0ce1c43 to
24a490e
Compare
| { | ||
| "createTime": "2021-06-17T15:23:05.481298Z", | ||
| "etag": "\"15c4f7c8a08052\"", | ||
| "name": "projects/180382678033/secrets/snyk-token/versions/11", | ||
| "replicationStatus": { | ||
| "automatic": {} | ||
| }, | ||
| "state": "ENABLED" | ||
| }, | ||
| { | ||
| "createTime": "2021-06-17T12:44:28.595177Z", | ||
| "etag": "\"15c4f5916057e9\"", | ||
| "name": "projects/180382678033/secrets/snyk-token/versions/10", | ||
| "replicationStatus": { | ||
| "automatic": {} | ||
| }, | ||
| "state": "ENABLED" | ||
| }, | ||
| { | ||
| "createTime": "2021-06-17T05:47:19.716124Z", | ||
| "etag": "\"15c4efbd89f51c\"", | ||
| "name": "projects/180382678033/secrets/snyk-token/versions/9", | ||
| "replicationStatus": { | ||
| "automatic": {} | ||
| }, | ||
| "state": "ENABLED" | ||
| }, |
There was a problem hiding this comment.
@spiffxp is it a good thing to have so many versions for the same secret ? IMHO, we should disable the unused versions.
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
4 times, most recently
from
43c3617 to
5c753be
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
6 times, most recently
from
3249969 to
fded903
Compare
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
d4057dd to
ade371b
Compare
| @@ -0,0 +1,18 @@ | |||
| gs://k8s-infra-scalability-tests-logs/ : | |||
| @@ -0,0 +1,36 @@ | |||
| { | |||
| @@ -17,6 +17,7 @@ logging.googleapis.com Cloud Logging API | |||
| monitoring.googleapis.com Cloud Monitoring API | |||
| oslogin.googleapis.com Cloud OS Login API | |||
| pubsub.googleapis.com Cloud Pub/Sub API | |||
| secretmanager.googleapis.com Secret Manager API | |||
There was a problem hiding this comment.
Yeah I think it'd be good to try to get in the habit of using the terraform at https://github.com/kubernetes/k8s.io/tree/main/infra/gcp/clusters/projects/k8s-infra-ii-sandbox to update and manage your project
I opened #2279 as a followup issue for this
That said, I also don't see any secrets being used in this project? It might also be a good idea to disable services you're not using
| { | ||
| "key": "enable-oslogin", | ||
| "value": "TRUE" | ||
| }, |
There was a problem hiding this comment.
This is required by the canary prowjobs for sig-scalability. This ensure the SA [email protected] can login in the instances created in the project. I need to add a ensure_project_oslogin bash function.
cncf-ci
changed the title
cncf-ci
force-pushed
the
autoaudit-prow
branch
3 times, most recently
from
238ecbd to
f1b9398
Compare
cncf-ci
changed the title
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "projectEditor:k8s-infra-e2e-boskos-scale-02", |
There was a problem hiding this comment.
The artifacts.k8s-infra-e2e-boskos-scale-xx.appspot.com noise is from CI jobs auto-creating GCR buckets on first use. We could eliminate this by pre-creating these buckets: #1999
| { | ||
| "key": "enable-oslogin", | ||
| "value": "TRUE" | ||
| }, |
| { | ||
| "members": [ | ||
| "serviceAccount:[email protected]" | ||
| ], | ||
| "role": "roles/storage.legacyBucketWriter" | ||
| }, |
There was a problem hiding this comment.
manual changes in ii's sandbox project, ignoring
| "projects/k8s-staging-boskos/logs/cloudaudit.googleapis.com%2Factivity", | ||
| "projects/k8s-staging-boskos/logs/cloudbuild" | ||
| "projects/k8s-staging-boskos/logs/cloudaudit.googleapis.com%2Factivity" |
There was a problem hiding this comment.
Noise in logging export: #2111
This is an example of cloudbuild logs aging out
| @@ -17,6 +17,7 @@ logging.googleapis.com Cloud Logging API | |||
| monitoring.googleapis.com Cloud Monitoring API | |||
| oslogin.googleapis.com Cloud OS Login API | |||
| pubsub.googleapis.com Cloud Pub/Sub API | |||
| secretmanager.googleapis.com Secret Manager API | |||
There was a problem hiding this comment.
Yeah I think it'd be good to try to get in the habit of using the terraform at https://github.com/kubernetes/k8s.io/tree/main/infra/gcp/clusters/projects/k8s-infra-ii-sandbox to update and manage your project
I opened #2279 as a followup issue for this
That said, I also don't see any secrets being used in this project? It might also be a good idea to disable services you're not using
| "currentMasterVersion": "1.19.9-gke.1400", | ||
| "currentNodeVersion": "1.19.9-gke.1400", | ||
| "currentMasterVersion": "1.19.9-gke.1900", | ||
| "currentNodeVersion": "1.19.9-gke.1900", |
There was a problem hiding this comment.
Noise from cluster auto-upgrades, but I feel like this is useful confirmation that they're actually happening
| { | ||
| "bindings": [ | ||
| { | ||
| "members": [ | ||
| "group:[email protected]", | ||
| "projectEditor:k8s-staging-prometheus-adapter", | ||
| "projectOwner:k8s-staging-prometheus-adapter" | ||
| ], | ||
| "role": "roles/storage.legacyBucketOwner" | ||
| }, |
There was a problem hiding this comment.
Expected, all of the k8s-staging-prometheus-adapter files are from #2274
| "imageType": "COS", | ||
| "imageType": "COS_CONTAINERD", |
There was a problem hiding this comment.
Expected, deploy of #2252
(same for the node pools below)
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cncf-ci, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Audit Updates wg-k8s-infra