Skip to content

Commit

Permalink
terraform/kubernetes-public: add k8s-keps
Browse files Browse the repository at this point in the history
Add a world-readable bucket gs://k8s-keps along with a service account
and dedicated k8s-infra-keps@kubernetes.io group with privileged access
to the bucket and its contents.
  • Loading branch information
spiffxp committed Aug 18, 2021
1 parent 957ae73 commit ab175a2
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 0 deletions.
3 changes: 3 additions & 0 deletions groups/restrictions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ restrictions:
- "^k8s-infra-gcs-access-logs@kubernetes.io$"
- "^k8s-infra-ii-coop@kubernetes.io$"
- "^k8s-infra-code-organization@kubernetes.io$"
- path: "sig-architecture/groups.yaml"
allowedGroups:
- "^k8s-infra-keps@kubernetes.io$"
- path: "sig-cluster-lifecycle/groups.yaml"
allowedGroups:
- "^sig-cluster-lifecycle-cluster-api-alerts@kubernetes.io$"
Expand Down
7 changes: 7 additions & 0 deletions groups/sig-architecture/OWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# See the OWNERS docs at https://go.k8s.io/owners

reviewers:
- sig-architecture-leads

labels:
- sig/architecture
18 changes: 18 additions & 0 deletions groups/sig-architecture/groups.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
groups:

#
# sig-architecture infra acces
#
# Each group here represents privileged access to some set of infrastructure
# related to subprojects owned by sig-architecture
#

- email-id: k8s-infra-keps@kubernetes.io
name: k8s-infra-keps
description: |-
ACL for access to KEP related infrastructure
settings:
ReconcileMembers: "true"
members:
- spiffxp@gmail.com # TODO(spiffxp): PR myself out when we figure out more appropriate
- spiffxp@google.com
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ metadata:
iam.gke.io/gcp-service-account: prow-deployer@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
name: prow-deployer
namespace: test-pods

# Specialized infrastructure access service accounts
---
kind: ServiceAccount
apiVersion: v1
Expand All @@ -31,6 +33,14 @@ metadata:
iam.gke.io/gcp-service-account: k8s-triage@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
name: k8s-triage
namespace: test-pods
---
kind: ServiceAccount
apiVersion: v1
metadata:
annotations:
iam.gke.io/gcp-service-account: k8s-keps@k8s-infra-prow-build-trusted.iam.gserviceaccount.com
name: k8s-keps
namespace: test-pods

# Infrastructure management service accounts
---
Expand Down
97 changes: 97 additions & 0 deletions infra/gcp/terraform/kubernetes-public/k8s-keps.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

/*
This file defines:
- GCS bucket to serve KEP reports
- IAM bindings
*/

locals {
keps_owners = "k8s-infra-keps@kubernetes.io"
}

// Use a data source for the service account
data "google_service_account" "keps_sa" {
account_id = "k8s-keps@k8s-infra-prow-build-trusted.iam.gserviceaccount.com"
}

// Create a GCS bucket for KEP reports
resource "google_storage_bucket" "keps_bucket" {
name = "k8s-keps"
project = data.google_project.project.project_id
location = "US"
storage_class = "STANDARD"
uniform_bucket_level_access = true
}

data "google_iam_policy" "keps_bucket_iam_bindings" {
// Ensure prow owners have admin privileges, and keep existing
// legacy bindings since we're overwriting all existing bindings below
binding {
members = [
"group:${local.prow_owners}",
"group:${local.keps_owners}",
]
role = "roles/storage.admin"
}
// Preserve legacy storage bindings, give storage.admim members legacy bucket owner
binding {
members = [
"group:${local.prow_owners}",
"group:${local.keps_owners}",
"projectEditor:${data.google_project.project.project_id}",
"projectOwner:${data.google_project.project.project_id}",
]
role = "roles/storage.legacyBucketOwner"
}
// Ensure keps service accounts have write access to the bucket
binding {
members = [
"serviceAccount:${data.google_service_account.keps_sa.email}",
]
role = "roles/storage.legacyBucketWriter"
}
// Preserve legacy storage bindings
binding {
members = [
"projectViewer:${data.google_project.project.project_id}",
]
role = "roles/storage.legacyBucketReader"
}
// Ensure keps service accounts have write/update/delete access to objects
binding {
role = "roles/storage.objectAdmin"
members = [
"group:${local.prow_owners}",
"group:${local.keps_owners}",
"serviceAccount:${data.google_service_account.keps_sa.email}",
]
}
// Ensure bucket contents are world readable
binding {
role = "roles/storage.objectViewer"
members = [
"allUsers"
]
}
}

// Authoritative iam-policy: replaces any existing policy attached to the bucket
resource "google_storage_bucket_iam_policy" "keps_bucket_iam_policy" {
bucket = google_storage_bucket.keps_bucket.name
policy_data = data.google_iam_policy.keps_bucket_iam_bindings.policy_data
}

0 comments on commit ab175a2

Please sign in to comment.