Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit: update as of 2021-03-03 #1748

Merged
merged 1 commit into from
Mar 3, 2021
Merged

audit: update as of 2021-03-03 #1748

merged 1 commit into from
Mar 3, 2021

Conversation

cncf-ci
Copy link
Contributor

@cncf-ci cncf-ci commented Mar 3, 2021

Audit Updates wg-k8s-infra

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 3, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @cncf-ci. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/audit Audit of project resources, audit followup issues, code in audit/ wg/k8s-infra size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 3, 2021
@spiffxp
Copy link
Member

spiffxp commented Mar 3, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 3, 2021
@spiffxp
Copy link
Member

spiffxp commented Mar 3, 2021

/assign @thockin
to post-merge review if/when you have time

This was referenced Mar 3, 2021
Closed
Closed
spiffxp
spiffxp approved these changes Mar 3, 2021
View reviewed changes
Copy link
Member

@spiffxp spiffxp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm
/meow
I am so psyched this is finally working. I'm sure I'll feel differently after being spammed with PRs but for now ahhh. Much more digestible.

audit/org_kubernetes.io/iam.json
Comment on lines +11 to +12
"user:[email protected]",
"user:[email protected]"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was #1726 (as well as all other changes in this file unless I comment otherwise)

specifically the part where I was paranoid about accidentally locking out k8s-infra-gcp-org-admins@ when I consolidate their roles into a single custom role

these will be removed by deployment of #1737

audit/org_kubernetes.io/iam.json
"user:[email protected]",
"user:[email protected]",
"user:[email protected]",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was not me

I would suggest LF use our groups, but we're also in here as backup "just in case" so I don't really mind

audit/org_kubernetes.io/roles/CustomRole.json
@@ -1,5 +1,5 @@
{
"description": "Can view billing info",
"description": "View access to billing info",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

role changes are also #1726 unless commented others

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops I changed the description of this a bit, should be fine?

I still don't understand the exact nature of why this role has the permissions it does, I've commented as much in its spec https://github.com/kubernetes/k8s.io/blob/986809ca3832cc0432732b7f183f6354f608287e/infra/gcp/roles/specs/CustomRole.yaml

audit/org_kubernetes.io/roles/StorageBucketLister.json
"includedPermissions": [
"storage.buckets.get"
],
"name": "organizations/758905017065/roles/StorageBucketLister",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also #1726

Fun fact: org-level custom roles can be undeleted within 7 days, and then take 30 days to fully disappear... this means a role id can't be deleted/reused for 37 days after deletion if not caught within the 7 day window.

ref: https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role

I'm adding a comment as such in #1737

audit/org_kubernetes.io/roles/prow.viewer.json
],
"name": "organizations/758905017065/roles/prow.viewer",
"stage": "ALPHA",
"stage": "GA",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we care to use ALPHA/BETA for our roles; I could see tagging something as such during experimentation, but it's also not clear to me what value that provides if we're in control of updating these

audit/projects/k8s-infra-e2e-boskos-007/services/compute/project-info.json
@@ -3,7 +3,7 @@
"items": [
{
"key": "ssh-keys",
"value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCi8pdFRA1dF1WRO5KP+Ol673+KbCLbUQt2J8gj7fwTn+R+XSS3sdpKezuNqTE2xQx9l0ZlMavRknPMvxyPyodN/sSMt/dIXubphc8zQM5DGCl4p4NBY6WoGYG6VZBRnBOn2kvAeI5Fa01QdaOtSdVlgr5QucIgC7VqAC+CI//8MTsQZDkodwyOUQ9Hs4pwKvBTzxLF0Xg5YW0bu+K3zctolYpcjo9yhIVxEPSBDqoDF+Y67R6KF0m22901Pn9j621OtfjyWKdqcnQqI8lT58jGlLBXx2/fVHghTHItlcZcWta+cdX8YN3rhlBR5FYfmB+4M1FGYI3ts6ljX4hu4d/3 root@8f3ea473-de81-11ea-a57e-2eecf92acd21\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCccAt9XikqIdshF4ClrNrAY21uTtzx5fQYSzNRxs8e0vybIt/BYXCWYhN2SjXV1fsb2j/I56gtoD+DwLEbI/VQz5sUgHkU0cdfbdn89FGztgnA3dlHMQ8wvJv+kYs+1QaucDC92QCTd1FS6tBBMCqtF+zL3S1LFWJPk3pfilXAtGGnm980c71OD/PdLvb35rrTXBN3OaGC/Skh+D+C3GZ6toO2368MKZZ3uE2m8EQWTo/6X5rACFzxVNL0eg7lXK+fbLO5BA6kK1my0MdBrX4XNN9Flmy0SwgTGCozpVUh28JkszrpmKX3+envg4c7njZAm5+J1LaGj43ew3EJ+SML root@f22966a2-e2b0-11ea-a87b-7e1d84ccc038\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpFyij+t3a3k++yHKO+L9UEaHV4JnNBxLEj0jtTnMqTefRVXb6N1Ldg+PhQ0M0wgP+EqFn2fRAkylj+cgzQrm4Sf+ZP4xvaav2fIw5f2dRWxLwomqih0XnuC4t7Z/ST2augMb/dywxfFzmC/KYJhUXf/8bsWg7ggOBUcAhhEb6PuSUrg9/xdumdORM3BJnQU7F7j6IEt8elLXtLxR1M3wTwzsoM+iEu+NxWjtJM0AwTUIJpugJculhIPHNnzF3G0AO0N09fbY7qnNlPhDt9Lk32sBLuJqcHvS81Oyi3dUSspv1G4sQbSYMdyaQ165axjJv/DXd8Xtw7R1U1+mQf4Qx root@e218f5fd-e412-11ea-99eb-2ebeded86955\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3F0AmDXljKuEH+yLqUq01J6mD8Wi9+I8gr0C2r0lbsVE6SaXijmayErVpLn5UpHYWTvfZYUyaOYciPOMC7cWqGbyr8A7vk5saPdYROHvMkMSNy6NZqZ0iZJ3jez/Y1HYeXw2KzvXrLPR8n3kKpfIa27w2YfPFH6znmAuIcHhwuk0QXeWhDveAyoCh4AK5m9tmf/lUBS8f2kZz7z9BQOBaiZdh6u5qrn1dadIARvKL0TOb8v8sQLuBcaYBS+lY2BrWxdXoua1Fa2SWXTwBJbrHNPxJi7B8eQ0opwHgbUiq7fESboDVDgY8UHiuAeCSOzzDP8C6ML7mEVB+EMq/TV/h root@9cb038a7-e9c3-11ea-b653-e644ef4dd131\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQMt4+DdNHo3KsK+8guTrjczTM0yuK1sF7njFMTzyRVjN8sKEz1OPhZhYNRvO32N5Da8fmd5dBkok29ilujtIfLtz4Y8qJFvN8zCE03BcQZOj7LWBY4AuHfexghzgbQmuDvSuAk5yejhqagdnj88MI8vGOrOQG8x7mfttO4fm/Fnw3wS0r6YFzXa6xyWgrQL/wmOk+qSQBV36iT7Siw8ln1WPxCOK7gB5FBfXzC/qz3XSakb/7Gn9x3sWsMHuz1Hxhb9yzMXDjK8q7Vy5mQlJ6RlxkhQlxJSsFlLhym8EmbmsRj3qV3LlJv4tCiPiur0VgQ6biqdqYKBnA2Uuz463L root@430d0030-f25b-11ea-bd49-066a8cf01e04\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmzyHt6d7ee4q54HbseMupcqBv4lUFxX7Y9oV6XhCj48sIOdPYLgxgoY2Mdeai2aq2Xbh/9LBEgJOwZY5BKKP3s3wBcrm+1P6Ls8GMzcwxHkGhcbHN9KTsJHIL2TaZ5C3kzBVqXD7sB+SIBD0UAeyqWhZSaWG1bN/4J6cKyWXmL5nDGjt2m0p2Q7BHGRpEuiSHgyvotXHl9F7D7usoYhd7AOnC/Stv+h7ummir1sNADtgiyvc/ORX56eb6aD3quSeuv9tXMGodc8dCbl4EZPb9aI0zw25/8aFyr27B0H3hALeF3exlvoMUgcIvqVmU/qq/6pEgIlN09ISpEiHp/kfP root@47dee6a5-f884-11ea-926e-7e7ea190b727\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkVC7fqdse1eyjeO6xifN4dDoOBxk+NGU1gA+P4cgDJRS2fVe5UcVxLERANccsMu5cYbL0QGGbGL0Rz850CCUrnvUIH5D3/pUSCOBhRPKCq2+hetvx0H+LcwepxO4BgcSXMkuTWh85ZNogggo5da39GnJt1hTq4Wsu0cAzxuw+xK4m4WtvoVED6voEiL/u5UgUwsEjWBBnf8E/dxtLeEiwmSztn93nhTO0a1M0ZwjyD5kZYFEdi5S92s8ccwpTDnPpgjz5mt62t+ErpO015s7po20izz+iGF+gdGENlp2IYA3H8t3053j9Hq0FVoE/X6DEsYZqYcWq0igp1fX9wu5b root@8ae58b37-0805-11eb-b895-6272783fc925\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDu4LKYShWO1WwVnIlvktdVqPjWRFZjIeMUOXEWC+Tm3LymtervzQ05wmF0xPibG7IzDy6rWFiqaCIJlOOzGX8nLaTNCqCudZdoz4Nl8m3lGkVvpO/f7WJ+KnHmijotFJyZLq8NBYkyVrwOO+UGT8IEMtk9EOquq6jIYCTNGcfNDY8XckAPHMGDE2rdU3sMApZdKmeuupMvOlV/ob2crmn450OLjlJmWGr119Hb9rgT1FJ+UhCLDfrU8Uvy1CAdaepSrQENcLxCld+Ua5Q2di5kiUn07P+R+4B53uPIU006GAn3m6ppswWtWBxfr9XfFhmbHFdQ3ZRIeFY1mt6rXfnv root@eb748862-1e3d-11eb-8d52-9233771f1447\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWaGOsvaIbKWkmq5b63h0J49kS6v64Y/O0ZKvBx7fl88mAxW0HN6OWisYqPYjESo5S7vCevQLhExNFhJdvCgcSuaNzwUlodYSjQa/ZXiirfWPckPPpY6116nCHGjnYX6eo3LBFPJbGzq0SLJNeoHbsaxYkgfyov8DhtbCI8zzWtcVK8ZOoODVphoSaj9ugA/FhjbkNflb9AHIZITcbh0UGFCEIDahMbFP1veYnsmD2WId+qd/CA0QKFSjRMnd/ar3eq9w6H2576Vts2T0UGRE9FU8m0UCLkIVP0P4/p8EStU+OagVTmGNelo/fWtY1pSC7a9N/3rrzDTsMADEJ4gir root@6575f33c-2083-11eb-95d4-12a87eb4bba5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCph+CbREr5oUuclVtHRJFqUfHM9lsigbhuvaxxFWSgW6KO1kPhMI7ixPR1wMvk+PqjE8o5DEc3zWdCeD8rAvKC5dZAw9SY8YmTgAT/OkbEoo2gI8gsBkDYhYtmHfC+gsr1C+QJyWMC+jPMc5i7LJ4f9iyrXyI/ethz7z2B+WINZv9eAdeti5HM6q9njVjQTLngW0foWhVFh06Fm06Pxf4ZSycgAaohlF9Rp4na1cdx7X6qP1zZV2Nx6T9r/TStKmg0ctfkODc86OOjsqHVjCS9pzTor+prcfQOZ126tbGvRdjAxG5iBqP8SHuoKswV4dMe8OoFPmICprc6GRuPD17z root@d2ac4ad1-2101-11eb-95d4-12a87eb4bba5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXkIePcAQCdFJrphhXLedaqKnL05+eUvmiMfMAgBK9O5trcnh1z6B72iHTlB036hWONCZlJbgmDPDx55Vw8ud1AAD7Z0IJgf0jrRhY38vnZjtQC5FkYNmZPW2OatS8RFizFPUS25eMrSJ6vi4n9/nsDXSoizYcbjVoptAJvUV1UpVyqh75RA1VXhLA1/67v2YGr2b8RMPpRHjJMJNu9V0yLz0EcwD8wTvtL4WxunEUHOSCuia59BBbVj5awmPosEIcgoUJoi8gx6yqXKJ/8N20JFXPjn9P8T3/QmtUXFUFR1mg7ckO2vhryM6h+bDQiP78mZi9TfMTZmhlywAkI0/N root@edcec6fa-327c-11eb-84c2-b68ef41a6728\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbl7zdSyO5f2agCetunxenDhvO2DEMzol3P0wcboQcoc87GmFlJSyjJK+XipYhuPm1JzQNByMALUZh5hUI5TISHPvUu04vY1LQjGtx7uSjPfdS4CGdPFITslIA6NGZbJuVMU9LYOtjsz9n6w2FOAnVjP7Q2AkhYwaHErdHDbwA10rIumhn2KBdYNuuoVctpK/lcY0l6ZodeuYMan5vPWJ13gSRN2T9ccDD/Y7pHfkPXqUwBeqJv1cUpV/xZQC6NgzRI3s8sddRnIqRIZctsJqjh8FtmBN5Rn9pMGDsY+Cz6YBMAJLkeOqwb/vs84nTvrF0YMQAZ0e3U3aKMUAGdP5L root@5bc9c587-33ac-11eb-84c2-b68ef41a6728\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZECHSq/SgECh6Sn9hBDGZ2s1VaiI71uuGFPOC97tNwrvRZSWFr7u2zZ8DdLskhlHX7voR9Kxgc2SaY6g1gpVkZpeBT2rNnD1K6OP56hn/zP54sTZEuVh14ceuyOYKNuJdZwWr6gv51G9Vy88xXiSnnnwdFTBmXRFjj3wLejN2j5xAQPX/M+rU+br02YagAJs8a77GYCc8ISlp7RlMQgb2Gnw1+yQWwxPAbQZUdFDF7z5V5H2yf0h3NhZ23GavrkC1i1gmLZbZJaTvkyAKJH6S+IweaXorEj+fEq1MAhNGNLqxhs1gw+P4RYZAF3daZH1+RRSYkemYE7a5O6lj33Np root@16faa0aa-5850-11eb-88de-22d0764934dc\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjQdWZCa426XfJTqS6l+aCebHF7nzne5Q7pUuV+TbpvaK0DJr805UPosBhm/ra85iWecbALOfMpBcDfWQqvwB6qWq9wU6KIdtt3KJktzmjSYW7IEiODXFjJDgcEFS8uv2tlQRLtaBqDh7m7WBMcCA7wT3MgC+HEwewiYfKxYM8gq8hoXCVzmRacp2sKft0HCDiJekLX9YGp1ijGD3HvBH2p27cow4IAsxdKr2Mq92okdRzWTj1boRp4kgAImr3QO6YFu3c1BNJptuU4KnW73wMfm7kluJskVyh5FSQifnrU6gnphjsB5w11ylG9I2t7nSD6d+jrLgRKK7fmzJ8E3I3 root@3db5b1ef-6069-11eb-b996-722e0b015734"
"value": "prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nprow:prow:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmYxHh/wwcV0P1aChuFLpl28w6DFyc7G5Xrw1F8wH1Re9AdxyemM2bTZ/PhsP3u9VDnNbyOw3UN00VFdumkFLjLf1WQ7Q6rZDlPjlw7urBIvAMqUecY6ae1znqsZ0dMBxOuPXHznlnjLjM5b7O7q5WsQMCA9Szbmz6DsuSyCuX0It2osBTN+8P/Fa6BNh3W8AF60M7L8/aUzLfbXVS2LIQKAHHD8CWqvXhLPuTJ03iSwFvgtAK1/J2XJwUP+OzAFrxj6A9LW5ZZgk3R3kRKr0xT/L7hga41rB1qy8Uz+Xr/PTVMNGW+nmU4bPgFchCK0JBK7B12ZcdVVFUEdpaAiKZ prow\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCi8pdFRA1dF1WRO5KP+Ol673+KbCLbUQt2J8gj7fwTn+R+XSS3sdpKezuNqTE2xQx9l0ZlMavRknPMvxyPyodN/sSMt/dIXubphc8zQM5DGCl4p4NBY6WoGYG6VZBRnBOn2kvAeI5Fa01QdaOtSdVlgr5QucIgC7VqAC+CI//8MTsQZDkodwyOUQ9Hs4pwKvBTzxLF0Xg5YW0bu+K3zctolYpcjo9yhIVxEPSBDqoDF+Y67R6KF0m22901Pn9j621OtfjyWKdqcnQqI8lT58jGlLBXx2/fVHghTHItlcZcWta+cdX8YN3rhlBR5FYfmB+4M1FGYI3ts6ljX4hu4d/3 root@8f3ea473-de81-11ea-a57e-2eecf92acd21\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCccAt9XikqIdshF4ClrNrAY21uTtzx5fQYSzNRxs8e0vybIt/BYXCWYhN2SjXV1fsb2j/I56gtoD+DwLEbI/VQz5sUgHkU0cdfbdn89FGztgnA3dlHMQ8wvJv+kYs+1QaucDC92QCTd1FS6tBBMCqtF+zL3S1LFWJPk3pfilXAtGGnm980c71OD/PdLvb35rrTXBN3OaGC/Skh+D+C3GZ6toO2368MKZZ3uE2m8EQWTo/6X5rACFzxVNL0eg7lXK+fbLO5BA6kK1my0MdBrX4XNN9Flmy0SwgTGCozpVUh28JkszrpmKX3+envg4c7njZAm5+J1LaGj43ew3EJ+SML root@f22966a2-e2b0-11ea-a87b-7e1d84ccc038\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpFyij+t3a3k++yHKO+L9UEaHV4JnNBxLEj0jtTnMqTefRVXb6N1Ldg+PhQ0M0wgP+EqFn2fRAkylj+cgzQrm4Sf+ZP4xvaav2fIw5f2dRWxLwomqih0XnuC4t7Z/ST2augMb/dywxfFzmC/KYJhUXf/8bsWg7ggOBUcAhhEb6PuSUrg9/xdumdORM3BJnQU7F7j6IEt8elLXtLxR1M3wTwzsoM+iEu+NxWjtJM0AwTUIJpugJculhIPHNnzF3G0AO0N09fbY7qnNlPhDt9Lk32sBLuJqcHvS81Oyi3dUSspv1G4sQbSYMdyaQ165axjJv/DXd8Xtw7R1U1+mQf4Qx root@e218f5fd-e412-11ea-99eb-2ebeded86955\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3F0AmDXljKuEH+yLqUq01J6mD8Wi9+I8gr0C2r0lbsVE6SaXijmayErVpLn5UpHYWTvfZYUyaOYciPOMC7cWqGbyr8A7vk5saPdYROHvMkMSNy6NZqZ0iZJ3jez/Y1HYeXw2KzvXrLPR8n3kKpfIa27w2YfPFH6znmAuIcHhwuk0QXeWhDveAyoCh4AK5m9tmf/lUBS8f2kZz7z9BQOBaiZdh6u5qrn1dadIARvKL0TOb8v8sQLuBcaYBS+lY2BrWxdXoua1Fa2SWXTwBJbrHNPxJi7B8eQ0opwHgbUiq7fESboDVDgY8UHiuAeCSOzzDP8C6ML7mEVB+EMq/TV/h root@9cb038a7-e9c3-11ea-b653-e644ef4dd131\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQMt4+DdNHo3KsK+8guTrjczTM0yuK1sF7njFMTzyRVjN8sKEz1OPhZhYNRvO32N5Da8fmd5dBkok29ilujtIfLtz4Y8qJFvN8zCE03BcQZOj7LWBY4AuHfexghzgbQmuDvSuAk5yejhqagdnj88MI8vGOrOQG8x7mfttO4fm/Fnw3wS0r6YFzXa6xyWgrQL/wmOk+qSQBV36iT7Siw8ln1WPxCOK7gB5FBfXzC/qz3XSakb/7Gn9x3sWsMHuz1Hxhb9yzMXDjK8q7Vy5mQlJ6RlxkhQlxJSsFlLhym8EmbmsRj3qV3LlJv4tCiPiur0VgQ6biqdqYKBnA2Uuz463L root@430d0030-f25b-11ea-bd49-066a8cf01e04\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmzyHt6d7ee4q54HbseMupcqBv4lUFxX7Y9oV6XhCj48sIOdPYLgxgoY2Mdeai2aq2Xbh/9LBEgJOwZY5BKKP3s3wBcrm+1P6Ls8GMzcwxHkGhcbHN9KTsJHIL2TaZ5C3kzBVqXD7sB+SIBD0UAeyqWhZSaWG1bN/4J6cKyWXmL5nDGjt2m0p2Q7BHGRpEuiSHgyvotXHl9F7D7usoYhd7AOnC/Stv+h7ummir1sNADtgiyvc/ORX56eb6aD3quSeuv9tXMGodc8dCbl4EZPb9aI0zw25/8aFyr27B0H3hALeF3exlvoMUgcIvqVmU/qq/6pEgIlN09ISpEiHp/kfP root@47dee6a5-f884-11ea-926e-7e7ea190b727\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDkVC7fqdse1eyjeO6xifN4dDoOBxk+NGU1gA+P4cgDJRS2fVe5UcVxLERANccsMu5cYbL0QGGbGL0Rz850CCUrnvUIH5D3/pUSCOBhRPKCq2+hetvx0H+LcwepxO4BgcSXMkuTWh85ZNogggo5da39GnJt1hTq4Wsu0cAzxuw+xK4m4WtvoVED6voEiL/u5UgUwsEjWBBnf8E/dxtLeEiwmSztn93nhTO0a1M0ZwjyD5kZYFEdi5S92s8ccwpTDnPpgjz5mt62t+ErpO015s7po20izz+iGF+gdGENlp2IYA3H8t3053j9Hq0FVoE/X6DEsYZqYcWq0igp1fX9wu5b root@8ae58b37-0805-11eb-b895-6272783fc925\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDu4LKYShWO1WwVnIlvktdVqPjWRFZjIeMUOXEWC+Tm3LymtervzQ05wmF0xPibG7IzDy6rWFiqaCIJlOOzGX8nLaTNCqCudZdoz4Nl8m3lGkVvpO/f7WJ+KnHmijotFJyZLq8NBYkyVrwOO+UGT8IEMtk9EOquq6jIYCTNGcfNDY8XckAPHMGDE2rdU3sMApZdKmeuupMvOlV/ob2crmn450OLjlJmWGr119Hb9rgT1FJ+UhCLDfrU8Uvy1CAdaepSrQENcLxCld+Ua5Q2di5kiUn07P+R+4B53uPIU006GAn3m6ppswWtWBxfr9XfFhmbHFdQ3ZRIeFY1mt6rXfnv root@eb748862-1e3d-11eb-8d52-9233771f1447\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWaGOsvaIbKWkmq5b63h0J49kS6v64Y/O0ZKvBx7fl88mAxW0HN6OWisYqPYjESo5S7vCevQLhExNFhJdvCgcSuaNzwUlodYSjQa/ZXiirfWPckPPpY6116nCHGjnYX6eo3LBFPJbGzq0SLJNeoHbsaxYkgfyov8DhtbCI8zzWtcVK8ZOoODVphoSaj9ugA/FhjbkNflb9AHIZITcbh0UGFCEIDahMbFP1veYnsmD2WId+qd/CA0QKFSjRMnd/ar3eq9w6H2576Vts2T0UGRE9FU8m0UCLkIVP0P4/p8EStU+OagVTmGNelo/fWtY1pSC7a9N/3rrzDTsMADEJ4gir root@6575f33c-2083-11eb-95d4-12a87eb4bba5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCph+CbREr5oUuclVtHRJFqUfHM9lsigbhuvaxxFWSgW6KO1kPhMI7ixPR1wMvk+PqjE8o5DEc3zWdCeD8rAvKC5dZAw9SY8YmTgAT/OkbEoo2gI8gsBkDYhYtmHfC+gsr1C+QJyWMC+jPMc5i7LJ4f9iyrXyI/ethz7z2B+WINZv9eAdeti5HM6q9njVjQTLngW0foWhVFh06Fm06Pxf4ZSycgAaohlF9Rp4na1cdx7X6qP1zZV2Nx6T9r/TStKmg0ctfkODc86OOjsqHVjCS9pzTor+prcfQOZ126tbGvRdjAxG5iBqP8SHuoKswV4dMe8OoFPmICprc6GRuPD17z root@d2ac4ad1-2101-11eb-95d4-12a87eb4bba5\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXkIePcAQCdFJrphhXLedaqKnL05+eUvmiMfMAgBK9O5trcnh1z6B72iHTlB036hWONCZlJbgmDPDx55Vw8ud1AAD7Z0IJgf0jrRhY38vnZjtQC5FkYNmZPW2OatS8RFizFPUS25eMrSJ6vi4n9/nsDXSoizYcbjVoptAJvUV1UpVyqh75RA1VXhLA1/67v2YGr2b8RMPpRHjJMJNu9V0yLz0EcwD8wTvtL4WxunEUHOSCuia59BBbVj5awmPosEIcgoUJoi8gx6yqXKJ/8N20JFXPjn9P8T3/QmtUXFUFR1mg7ckO2vhryM6h+bDQiP78mZi9TfMTZmhlywAkI0/N root@edcec6fa-327c-11eb-84c2-b68ef41a6728\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbl7zdSyO5f2agCetunxenDhvO2DEMzol3P0wcboQcoc87GmFlJSyjJK+XipYhuPm1JzQNByMALUZh5hUI5TISHPvUu04vY1LQjGtx7uSjPfdS4CGdPFITslIA6NGZbJuVMU9LYOtjsz9n6w2FOAnVjP7Q2AkhYwaHErdHDbwA10rIumhn2KBdYNuuoVctpK/lcY0l6ZodeuYMan5vPWJ13gSRN2T9ccDD/Y7pHfkPXqUwBeqJv1cUpV/xZQC6NgzRI3s8sddRnIqRIZctsJqjh8FtmBN5Rn9pMGDsY+Cz6YBMAJLkeOqwb/vs84nTvrF0YMQAZ0e3U3aKMUAGdP5L root@5bc9c587-33ac-11eb-84c2-b68ef41a6728\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZECHSq/SgECh6Sn9hBDGZ2s1VaiI71uuGFPOC97tNwrvRZSWFr7u2zZ8DdLskhlHX7voR9Kxgc2SaY6g1gpVkZpeBT2rNnD1K6OP56hn/zP54sTZEuVh14ceuyOYKNuJdZwWr6gv51G9Vy88xXiSnnnwdFTBmXRFjj3wLejN2j5xAQPX/M+rU+br02YagAJs8a77GYCc8ISlp7RlMQgb2Gnw1+yQWwxPAbQZUdFDF7z5V5H2yf0h3NhZ23GavrkC1i1gmLZbZJaTvkyAKJH6S+IweaXorEj+fEq1MAhNGNLqxhs1gw+P4RYZAF3daZH1+RRSYkemYE7a5O6lj33Np root@16faa0aa-5850-11eb-88de-22d0764934dc\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjQdWZCa426XfJTqS6l+aCebHF7nzne5Q7pUuV+TbpvaK0DJr805UPosBhm/ra85iWecbALOfMpBcDfWQqvwB6qWq9wU6KIdtt3KJktzmjSYW7IEiODXFjJDgcEFS8uv2tlQRLtaBqDh7m7WBMcCA7wT3MgC+HEwewiYfKxYM8gq8hoXCVzmRacp2sKft0HCDiJekLX9YGp1ijGD3HvBH2p27cow4IAsxdKr2Mq92okdRzWTj1boRp4kgAImr3QO6YFu3c1BNJptuU4KnW73wMfm7kluJskVyh5FSQifnrU6gnphjsB5w11ylG9I2t7nSD6d+jrLgRKK7fmzJ8E3I3 root@3db5b1ef-6069-11eb-b996-722e0b015734\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaHeWleRvK6GkiEbsQ210OP/kvj0cdOYowJRdE8DQTgQebo4aoyAP7P3lWtuuSemQp1Vk1RblQY0apVMrMi+oolmVpLAxLSmgFv/zxBRn06CjNa68mSLZMvrFoqZg11CK631zlkuxa6JERNQ5iMupUz6Svyxov2WJhZJDwooNkC7/xRxKIq9Re4CM0yp6PMxiA1JJhbPQoFkHgO6hTVdb9khwQMDLHTPipund5FuHrmw9e6reii4l6WqkLf7GRtSYgjg9joXs/xm5hI/KA5bED9BT9Cz9bQ/2HVW/llt1l5jCMZGQagCRA46CW5gHXvHV/QYS+7XqLNc2nHPHAxD3z root@24bdfd11-791a-11eb-a603-2218f636630c\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjfHfffBQZx/tQ+L6vNa64QrVBvYokupti4tofdLIw3MR6EF1axKewoK/aON/Mo33ROz1lzlB98Bq6Arhd5xx6P2qEzBqBEnHhw1Se3wdkvuqjZu5rGtI7W10ZlsVyEn/KFwxKKfHLTI4TqOYTzuf0fyoH6jzurQJe5SU6rlLJuTo4sK1Ob88Zj76zaRikNA5/tOxowrba/lj6+0BwTwdVaFMgsFwzoKDQzs9gmRWXQ04cLOSO+qYK5MhvFLaJC5n1e5phkQbV+zxYSPWUxE+tUE4ATXvE3ExLQub9AQnp85PywBgJXFQ31TAj44QcP7247t/jNe1HA72CbJnPGeQh root@6e6f003c-7933-11eb-a603-2218f636630c\nkubetest2:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSWCvIWHvkh5GMr0WXpsPE728IIVLHoP7wcm6zM3UFffwXMx/mT3uhhMTG9w07QOpFj3SnMAkdXNcbuWsiE9EAzOF5iq2OQTWAFMxY4i+vWpIFrarUQrDrs3jZmS+LgeRq/ZvwnALODknaqo5bnv3sPfmIDmZE8i2NiNTawDAmH9Qn8Td3aKOc0rjWHDr4lKmPTYGnJ0catHkvqiDvh1eUWwd1xsEXZbt/UmJYWLXiixaXq2/WkJAnNV1FFmwXsb8V2HZA1oVxgfId7cQmzw90zT4s6Yq2HISdKndAJARhWAPqZA/hk1orbj6tqgUR+MSjsgUOTZnocd5xl5mGj2hB root@14350c7f-7c28-11eb-9b34-4e1d335ada19"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless otherwise noted this is representative of k8s-infra-e2e* changes

This is kubetest2 noise. I don't know enough about this to know if it will grow unbounded, if google cloud will error on max entries, or if this is just fine and expected noise.

Similar to kube-up.sh autogenerated buckets we probably want a followup issue for how to handle these

audit/projects/k8s-infra-prow-build/services/container/clusters.txt
@@ -1 +1 @@
prow-build us-central1 us-central1-c;us-central1-f;us-central1-b 72 RUNNING
prow-build us-central1 us-central1-c;us-central1-f;us-central1-b RUNNING
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yay, no more node count (ref: #1744)

audit/projects/k8s-infra-prow-build/services/enabled.txt
secretmanager.googleapis.com Secret Manager API
serviceusage.googleapis.com Service Usage API
stackdriver.googleapis.com Stackdriver API
staging-container.sandbox.googleapis.com Kubernetes Engine API (Staging)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uhhhh I'm not entirely sure where these came from, I am quite sure they should be banned

also, a nit I had in another audit review: this should be dumped in a format not susceptible to whitespace changes for easier diffing

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ixdy any chance boskos enabled these somehow?

audit/projects/k8s-staging-e2e-test/description.json
{
"createTime": "2019-12-06T16:56:47.584Z",
"lifecycleState": "ACTIVE",
"name": "k8s-staging-e2e-test",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manual cleanup (not sure who did it)

The reason this existed before is ensure-staging-storage.sh not being strict enough.

If a human is going to run it piecemeal, the script needs to filter input against the source of (truth? intent?) for staging projects.

Otherwise, typos mean accidental project creation; I've done it myself a few times.

audit/projects/kubernetes-public/secrets/slack-moderator-words-config/versions.json
"replicationStatus": {
"automatic": {}
},
"state": "DESTROYED"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was me working with @jeefy to ensure he could write to this secret

This was to support deployment #1696

#1731 is the followup issue to cover:

  • put these secrets (not their versions) under management
  • document the process
  • (possibly another followup issue) audit/enforce that This Is How We Do Secrets so we don't have a bunch of random un-recoverable secrets in our k8s clusters

@k8s-ci-robot
Copy link
Contributor

@spiffxp: cat image

In response to this:

/approve
/lgtm
/meow
I am so psyched this is finally working. I'm sure I'll feel differently after being spammed with PRs but for now ahhh. Much more digestible.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 3, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cncf-ci, spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 3, 2021
@k8s-ci-robot k8s-ci-robot merged commit 71591c3 into kubernetes:main Mar 3, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Mar 3, 2021
This was referenced Mar 3, 2021
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffxp spiffxp spiffxp approved these changes

@dims dims Awaiting requested review from dims

Assignees

@spiffxp spiffxp

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/audit Audit of project resources, audit followup issues, code in audit/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
4 participants
@cncf-ci @k8s-ci-robot @spiffxp @thockin