New and fresh (March 25 2020) GCP Audit results

Signed-off-by: Bart Smykla <[email protected]>

audit/org_kubernetes.io/iam.json

@@ -43,6 +43,12 @@
       ],
       "role": "roles/compute.viewer"
     },
+    {
+      "members": [
+        "group:[email protected]"
+      ],
+      "role": "roles/dns.reader"
+    },
     {
       "members": [
         "group:[email protected]"

audit/projects/k8s-artifacts-prod-bak/service-accounts/1057569514213-compute@developer.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-artifacts-prod-bak/service-accounts/k8s-infra-gcr-promoter@k8s-artifacts-prod-bak.iam.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-artifacts-prod-bak/services/compute/project-info.json

@@ -170,6 +170,11 @@
       "metric": "MACHINE_IMAGES",
       "usage": 0.0
     },
+    {
+      "limit": 20.0,
+      "metric": "SECURITY_POLICY_CEVAL_RULES",
+      "usage": 0.0
+    },
     {
       "limit": 15.0,
       "metric": "EXTERNAL_VPN_GATEWAYS",

audit/projects/k8s-artifacts-prod-bak/services/enabled.json

@@ -296,12 +296,14 @@
         "run.googleapis.com",
         "staging-appengineflex.sandbox.googleapis.com",
         "staging-cloudbuild.sandbox.googleapis.com",
+        "staging-cloudfunctions.sandbox.googleapis.com",
         "staging-container.sandbox.googleapis.com",
         "staging-containerscanning.sandbox.googleapis.com",
         "staging-pod-cloudbuild.sandbox.googleapis.com",
         "staging-run.sandbox.googleapis.com",
         "test-appengineflex.sandbox.googleapis.com",
         "test-cloudbuild.sandbox.googleapis.com",
+        "test-cloudfunctions.sandbox.googleapis.com",
         "test-container.sandbox.googleapis.com",
         "test-run.sandbox.googleapis.com"
       ],
@@ -340,6 +342,7 @@
         "staging-appengineflex.sandbox.googleapis.com",
         "staging-binaryauthorization.sandbox.googleapis.com",
         "staging-cloudbuild.sandbox.googleapis.com",
+        "staging-cloudfunctions.sandbox.googleapis.com",
         "staging-composer.sandbox.googleapis.com",
         "staging-container.sandbox.googleapis.com",
         "staging-containerscanning.sandbox.googleapis.com",
@@ -357,6 +360,7 @@
         "test-appengineflex.sandbox.googleapis.com",
         "test-binaryauthorization.sandbox.googleapis.com",
         "test-cloudbuild.sandbox.googleapis.com",
+        "test-cloudfunctions.sandbox.googleapis.com",
         "test-container.sandbox.googleapis.com",
         "test-file.sandbox.googleapis.com",
         "test-managedvms.googleapis.com",

audit/projects/k8s-artifacts-prod/iam.json

@@ -33,6 +33,12 @@
       ],
       "role": "roles/errorreporting.writer"
     },
+    {
+      "members": [
+        "serviceAccount:[email protected]"
+      ],
+      "role": "roles/iam.serviceAccountTokenCreator"
+    },
     {
       "members": [
         "serviceAccount:[email protected]"
@@ -63,6 +69,12 @@
       ],
       "role": "roles/run.serviceAgent"
     },
+    {
+      "members": [
+        "group:[email protected]"
+      ],
+      "role": "roles/serviceusage.serviceUsageConsumer"
+    },
     {
       "members": [
         "group:[email protected]"

audit/projects/k8s-artifacts-prod/service-accounts/388270116193-compute@developer.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-auditor-invoker@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-artifacts-prod/service-accounts/k8s-infra-gcr-promoter@k8s-artifacts-prod.iam.gserviceaccount.com/iam.json

@@ -1,3 +1,11 @@
 {
+  "bindings": [
+    {
+      "members": [
+        "serviceAccount:k8s-prow-builds.svc.id.goog[test-pods/k8s-artifacts-prod]"
+      ],
+      "role": "roles/iam.workloadIdentityUser"
+    }
+  ],
   "version": 1
 }

audit/projects/k8s-artifacts-prod/services/compute/project-info.json

@@ -38,7 +38,7 @@
     {
       "limit": 250.0,
       "metric": "ROUTES",
-      "usage": 23.0
+      "usage": 24.0
     },
     {
       "limit": 45.0,
@@ -123,7 +123,7 @@
     {
       "limit": 175.0,
       "metric": "SUBNETWORKS",
-      "usage": 22.0
+      "usage": 23.0
     },
     {
       "limit": 30.0,
@@ -170,6 +170,11 @@
       "metric": "MACHINE_IMAGES",
       "usage": 0.0
     },
+    {
+      "limit": 20.0,
+      "metric": "SECURITY_POLICY_CEVAL_RULES",
+      "usage": 0.0
+    },
     {
       "limit": 15.0,
       "metric": "EXTERNAL_VPN_GATEWAYS",

audit/projects/k8s-artifacts-prod/services/enabled.json

@@ -414,7 +414,7 @@
       },
       "name": "clouddebugger.googleapis.com",
       "quota": {},
-      "title": "Stackdriver Debugger API",
+      "title": "Cloud Debugger API",
       "usage": {
         "requirements": [
           "serviceusage.googleapis.com/tos/cloud"
@@ -461,7 +461,7 @@
       "migration": {},
       "name": "clouderrorreporting.googleapis.com",
       "quota": {},
-      "title": "Stackdriver Error Reporting API",
+      "title": "Error Reporting API",
       "usage": {
         "requirements": [
           "serviceusage.googleapis.com/tos/cloud"
@@ -560,7 +560,7 @@
     "config": {
       "authentication": {},
       "documentation": {
-        "summary": "Sends application trace data to Stackdriver Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Trace API directly. If you are looking to instrument your application for Stackdriver Trace, we recommend using OpenCensus.\n"
+        "summary": "Sends application trace data to Cloud Trace for viewing. Trace data is collected for all App Engine applications by default. Trace data from other applications can be provided using this API. This library is used to interact with the Cloud Trace API directly. If you are looking to instrument your application for Cloud Trace, we recommend using OpenCensus.\n"
       },
       "features": [
         "googleprod.com/service/use-monarch"
@@ -577,7 +577,7 @@
       },
       "name": "cloudtrace.googleapis.com",
       "quota": {},
-      "title": "Stackdriver Trace API",
+      "title": "Cloud Trace API",
       "usage": {
         "requirements": [
           "serviceusage.googleapis.com/tos/cloud"
@@ -942,12 +942,14 @@
         "run.googleapis.com",
         "staging-appengineflex.sandbox.googleapis.com",
         "staging-cloudbuild.sandbox.googleapis.com",
+        "staging-cloudfunctions.sandbox.googleapis.com",
         "staging-container.sandbox.googleapis.com",
         "staging-containerscanning.sandbox.googleapis.com",
         "staging-pod-cloudbuild.sandbox.googleapis.com",
         "staging-run.sandbox.googleapis.com",
         "test-appengineflex.sandbox.googleapis.com",
         "test-cloudbuild.sandbox.googleapis.com",
+        "test-cloudfunctions.sandbox.googleapis.com",
         "test-container.sandbox.googleapis.com",
         "test-run.sandbox.googleapis.com"
       ],
@@ -986,6 +988,7 @@
         "staging-appengineflex.sandbox.googleapis.com",
         "staging-binaryauthorization.sandbox.googleapis.com",
         "staging-cloudbuild.sandbox.googleapis.com",
+        "staging-cloudfunctions.sandbox.googleapis.com",
         "staging-composer.sandbox.googleapis.com",
         "staging-container.sandbox.googleapis.com",
         "staging-containerscanning.sandbox.googleapis.com",
@@ -1003,6 +1006,7 @@
         "test-appengineflex.sandbox.googleapis.com",
         "test-binaryauthorization.sandbox.googleapis.com",
         "test-cloudbuild.sandbox.googleapis.com",
+        "test-cloudfunctions.sandbox.googleapis.com",
         "test-container.sandbox.googleapis.com",
         "test-file.sandbox.googleapis.com",
         "test-managedvms.googleapis.com",
@@ -1118,7 +1122,7 @@
     "config": {
       "authentication": {},
       "documentation": {
-        "summary": "Writes log entries and manages your Stackdriver Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the <a href=https://cloud.google.com/logging/docs>Stackdriver Logging documentation</a>."
+        "summary": "Writes log entries and manages your Cloud Logging configuration.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the documentation at https://cloud.google.com/logging/docs."
       },
       "features": [
         "googleprod.com/service/use-monarch",
@@ -1134,7 +1138,7 @@
       "migration": {},
       "name": "logging.googleapis.com",
       "quota": {},
-      "title": "Stackdriver Logging API",
+      "title": "Cloud Logging API",
       "usage": {
         "requirements": [
           "serviceusage.googleapis.com/tos/cloud"
@@ -1286,7 +1290,7 @@
     "config": {
       "authentication": {},
       "documentation": {
-        "summary": "Manages your Stackdriver Monitoring data and configurations. Most projects must be associated with a Stackdriver account, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Stackdriver Monitoring documentation](/monitoring/docs).\n"
+        "summary": "Manages your Cloud Monitoring data and configurations. Most projects must be associated with a Workspace, with a few exceptions as noted on the individual method pages.\nThe table entries below are presented in alphabetical order, not in order of common use. For explanations of the concepts found in the table entries, read the [Cloud Monitoring documentation](/monitoring/docs).\n"
       },
       "features": [
         "googleprod.com/service/use-monarch"
@@ -1301,7 +1305,7 @@
       "migration": {},
       "name": "monitoring.googleapis.com",
       "quota": {},
-      "title": "Stackdriver Monitoring API",
+      "title": "Cloud Monitoring API",
       "usage": {
         "requirements": [
           "serviceusage.googleapis.com/tos/cloud"
@@ -1321,6 +1325,7 @@
         "autopush-spinnaker.sandbox.googleapis.com",
         "cloudapis.googleapis.com",
         "composer.googleapis.com",
+        "container.googleapis.com",
         "datalogic.googleapis.com",
         "dev-composer.sandbox.googleapis.com",
         "dev-endpoints-googleapis.corp.google.com",
@@ -1332,13 +1337,15 @@
         "stackdriverprovisioning.googleapis.com",
         "staging-appengineflex.sandbox.googleapis.com",
         "staging-composer.sandbox.googleapis.com",
+        "staging-container.sandbox.googleapis.com",
         "staging-datalogic.sandbox.googleapis.com",
         "staging-memcache.sandbox.googleapis.com",
         "staging-redis.sandbox.googleapis.com",
         "staging-spinnaker.sandbox.googleapis.com",
         "staging-tpu.sandbox.googleapis.com",
         "staging-vpcaccess.sandbox.googleapis.com",
         "test-appengineflex.sandbox.googleapis.com",
+        "test-container.sandbox.googleapis.com",
         "test-memcache.sandbox.googleapis.com",
         "test-redis.sandbox.googleapis.com",
         "test-tpu.sandbox.googleapis.com",
@@ -1348,30 +1355,53 @@
       ],
       "requiredBy": [
         "appengineflex.googleapis.com",
+        "autopush-datafusion.sandbox.googleapis.com",
         "autopush-datalogic.sandbox.googleapis.com",
         "autopush-endpoints.sandbox.googleapis.com",
         "autopush-memcache.sandbox.googleapis.com",
         "autopush-spinnaker.sandbox.googleapis.com",
+        "autoscaler.googleapis.com",
+        "binaryauthorization.googleapis.com",
+        "cloud-infrastructure.googleapis.com",
         "cloudapis.googleapis.com",
         "composer.googleapis.com",
+        "container.googleapis.com",
+        "dataflow.googleapis.com",
+        "datafusion.googleapis.com",
         "datalogic.googleapis.com",
+        "dataprep.googleapis.com",
         "dev-composer.sandbox.googleapis.com",
+        "dev-dataprep.sandbox.googleapis.com",
         "dev-endpoints-googleapis.corp.google.com",
         "endpoints.googleapis.com",
+        "file.googleapis.com",
+        "managedvms.googleapis.com",
+        "manager.googleapis.com",
         "memcache.googleapis.com",
         "redis.googleapis.com",
+        "resourceviews.googleapis.com",
         "spinnaker.googleapis.com",
         "stackdriver.googleapis.com",
         "stackdriverprovisioning.googleapis.com",
         "staging-appengineflex.sandbox.googleapis.com",
+        "staging-binaryauthorization.sandbox.googleapis.com",
         "staging-composer.sandbox.googleapis.com",
+        "staging-container.sandbox.googleapis.com",
+        "staging-datafusion.sandbox.googleapis.com",
         "staging-datalogic.sandbox.googleapis.com",
+        "staging-dataprep.googleapis.com",
+        "staging-file.sandbox.googleapis.com",
+        "staging-managedvms.googleapis.com",
         "staging-memcache.sandbox.googleapis.com",
         "staging-redis.sandbox.googleapis.com",
         "staging-spinnaker.sandbox.googleapis.com",
         "staging-tpu.sandbox.googleapis.com",
         "staging-vpcaccess.sandbox.googleapis.com",
         "test-appengineflex.sandbox.googleapis.com",
+        "test-binaryauthorization.sandbox.googleapis.com",
+        "test-container.sandbox.googleapis.com",
+        "test-file.sandbox.googleapis.com",
+        "test-managedvms.googleapis.com",
         "test-memcache.sandbox.googleapis.com",
         "test-redis.sandbox.googleapis.com",
         "test-tpu.sandbox.googleapis.com",

audit/projects/k8s-cip-test-prod/service-accounts/693665670941-compute@developer.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-cip-test-prod/service-accounts/k8s-infra-gcr-promoter@k8s-cip-test-prod.iam.gserviceaccount.com/iam.json

@@ -1,3 +1 @@
-{
-  "version": 1
-}
+{}

audit/projects/k8s-cip-test-prod/services/compute/project-info.json

@@ -170,6 +170,11 @@
       "metric": "MACHINE_IMAGES",
       "usage": 0.0
     },
+    {
+      "limit": 20.0,
+      "metric": "SECURITY_POLICY_CEVAL_RULES",
+      "usage": 0.0
+    },
     {
       "limit": 15.0,
       "metric": "EXTERNAL_VPN_GATEWAYS",