Skip to content

Latest commit

 

History

History

conformance_storage

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
conformance_storage.yaml
conformance_storage.yaml
 
 

README.md

Conformance Storage

Analyzed script: ensure-conformance-storage.sh

Table of Content

Terraform resources

Variables used in Components

[BUCKETS]

  • capi-openstack
  • cri-o
  • huaweicloud

Components

  • Components for project: k8s-conform:
    • Project:
      • k8s-conform
    • API:
      • storage-component
    • Components for project: k8s-conform per [BUCKET]:
      • GCS Bucket:
        • gs://k8s-confirm-[BUCKET]:
          • bucketpolicyonly: true
          • location: us
          • retention: 10y
      • IAM:
        • gs://k8s-confirm-[BUCKET]:
          • allUsers:objectViewer
          • group:k8s-infra-artifact-admins@kubernetes.io:objectAdmin
          • group:k8s-infra-artifact-admins@kubernetes.io:legacyBucketOwner
          • group:k8s-infra-conform-[BUCKET]@kubernetes.io:objectAdmin
          • group:k8s-infra-conform-[BUCKET]@kubernetes.io:legacyBucketReader
      • IAM Policy Binding:
        • roles/viewer:
          • group:k8s-infra-artifact-admins@kubernetes.io

Yaml representation of ComponentsG1,G2

# [BUCKETS]:
#   - capi-openstack
#   - cri-o
#   - huaweicloud

google_project:
  - name: k8s-conform
google_project_service:
  - service: storage-component.googleapis.com
    project: k8s-conform
google_storage_bucket:
  - name: k8s-confirm-[BUCKET]
    bucket_policy_only: true
    location: us
    retention_policy:
      retention_period: 315360000 # 10 years
google_project_iam_binding:
  - role: roles/viewer
    members:
      - group:k8s-infra-artifact-admins@kubernetes.io
    project: k8s-conform
google_storage_bucket_iam_binding:
  - role: roles/storage.objectViewer
    members:
      - allUsers
    bucket: gs://k8s-confirm-[BUCKET]
  - role: roles/storage.objectAdmin
    members:
      - group:k8s-infra-artifact-admins@kubernetes.io
      - group:k8s-infra-conform-[BUCKET]@kubernetes.io
    bucket: gs://k8s-confirm-[BUCKET]
  - role: roles/storage.legacyBucketOwner
    members:
      - group:k8s-infra-release-admins@kubernetes.io
    bucket: gs://k8s-confirm-[BUCKET]
  - role: roles/storage.legacyBucketReader
    members:
      - group:k8s-infra-conform-[BUCKET]@kubernetes.io
    bucket: gs://k8s-confirm-[BUCKET]
google_storage_bucket_acl:
# we need to discuss if we wan't to manage this resource because as far I'm aware,
# good practice is to use IAMs instead of ACLs, but in this case
# ("legacyBucketOwner" and "legacyBucketReader") the ACLs will be implicitly
# created, so I prefer to put them also here "explicitly".
#
# [IMPORTANT!] be aware that every role entity used in ACLs is in form
#              of type and proper entity separated by "-" (not ":"),
#              so for group "k8s-infra-release-admins@kubernetes.io"
#              it will be "group-k8s-infra-release-admins@kubernetes.io"
  - bucket: gs://k8s-confirm-[BUCKET]
    role_entity:
      - OWNER:group-k8s-infra-release-admins@kubernetes.io
      - READER:group-k8s-infra-conform-[BUCKET]@kubernetes.io