Audit Update for kubernetes-public

Author: hh

audit/audit-gcp.sh

@@ -36,6 +36,7 @@ gcloud \
     --filter="parent.id=${CNCF_GCP_ORG}" \
     --format="value(name, projectNumber)" \
 | sort \
+| tail -1 | head -1 \
 | while read -r PROJECT NUM; do
     export CLOUDSDK_CORE_PROJECT="${PROJECT}"
 
@@ -162,32 +163,32 @@ gcloud \
                 #### gcloud alpha monitoring channels list > "projects/${PROJECT}/services/monitoring.channels.json"
                 #### gcloud alpha monitoring channel-descriptors list > "projects/${PROJECT}/services/monitoring.channel-descriptors.json"
                 ;;
-            secretmanager)
-                gcloud \
-                    secrets list \
-                    --project=k8s-gsuite \
-                    --format="value(name)" \
-                | while read -r SECRET; do
-                    path="projects/${PROJECT}/secrets/${SECRET}"
-                    mkdir -p "${path}"
-                    gcloud \
-                        secrets describe "${SECRET}" \
-                        --project="${PROJECT}" \
-                        --format=json \
-                        > "${path}/description.json"
-                    gcloud \
-                        secrets versions list "${SECRET}" \
-                        --project="${PROJECT}" \
-                        --format=json \
-                        > "${path}/versions.json"
-                    gcloud \
-                        secrets get-iam-policy "${SECRET}" \
-                        --project="${PROJECT}" \
-                        --format=json \
-                        | jq 'del(.etag)' \
-                        > "${path}/iam.json"
-                done
-                ;;
+            # secretmanager)
+            #     gcloud \
+            #         secrets list \
+            #         --project=k8s-gsuite \
+            #         --format="value(name)" \
+            #     | while read -r SECRET; do
+            #         path="projects/${PROJECT}/secrets/${SECRET}"
+            #         mkdir -p "${path}"
+            #         gcloud \
+            #             secrets describe "${SECRET}" \
+            #             --project="${PROJECT}" \
+            #             --format=json \
+            #             > "${path}/description.json"
+            #         gcloud \
+            #             secrets versions list "${SECRET}" \
+            #             --project="${PROJECT}" \
+            #             --format=json \
+            #             > "${path}/versions.json"
+            #         gcloud \
+            #             secrets get-iam-policy "${SECRET}" \
+            #             --project="${PROJECT}" \
+            #             --format=json \
+            #             | jq 'del(.etag)' \
+            #             > "${path}/iam.json"
+            #     done
+            #     ;;
             storage-api)
                 gsutil ls -p "${PROJECT}" \
                 | awk -F/ '{print $3}' \

audit/org_kubernetes.io/iam.json

@@ -72,6 +72,9 @@
         "group:k8s-infra-gcp-org-admins@kubernetes.io",
         "user:domain-admin-lf@kubernetes.io",
         "user:ihor@cncf.io",
+        "user:psharma@linuxfoundation.org",
+        "user:spiffxp@google.com",
+        "user:thockin@google.com",
         "user:twaggoner@linuxfoundation.org"
       ],
       "role": "roles/resourcemanager.organizationAdmin"
@@ -94,6 +97,12 @@
       ],
       "role": "roles/resourcemanager.projectDeleter"
     },
+    {
+      "members": [
+        "group:k8s-infra-gcp-org-admins@kubernetes.io"
+      ],
+      "role": "roles/servicemanagement.quotaAdmin"
+    },
     {
       "members": [
         "group:k8s-infra-gcp-auditors@kubernetes.io"