Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auditing Kubernetes Org Owner Permissions #2465

Closed
cblecker opened this Issue Aug 3, 2018 · 15 comments

Comments

Projects
None yet
6 participants
@cblecker
Copy link
Member

commented Aug 3, 2018

TL;DR: We will soon be limiting org admin access to our GitHub administration team. If you do not have/need admin access to a kubernetes org, you may stop reading now.


Hello everyone,
With the size of the Kubernetes project and our GitHub footprint, Contributor Experience has created a dedicated team (@kubernetes/owners) to oversee and handle the day-to-day administration of GitHub. You can find more details on this team and our scope here.

Now that this team is established and in place, we are moving forward with auditing Org Owner permissions across all our active organizations and removing those who are not a part of this team. If you are on one of the lists below, your org owner access is slated to be removed on Wednesday, August 8th in the morning Pacific Time.

We are doing this to reduce our footprint of users/tokens that have "root" permissions on our orgs/repos, but retain a small, active team that is able to respond across time zones to take action when needed. This is something we have been working on for a while, but I accelerated my focus on it after the recent Gentoo GitHub security incident (https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github).

There may be some short-term issues once your access has been revoked. In particular, actions you previously were able to do (such as having direct write access to a repo) may not work after this access is removed. If any issues like this arise, please ping @kubernetes/owners or open an issue against the https://github.com/kubernetes/org repo, and we should be able to get you fixed up and added to the right teams.

Thank you for your understanding and patience during this transition!

kubernetes/

@alex-mohr
@bgrant0607
@bryk
@davidopp
@dchen1107
@derekwaynecarr
@eparis
@erictune
@fgrzadkowski
@lavalamp
@matchstick
@michelleN
@pwittrock
@quinton-hoole
@roberthbailey
@sarahnovotny
@smarterclayton
@spxtr
@thockin
@timothysc
@vishh
@zmerlynn

kubernetes-sigs/

@bgrant0607
@derekwaynecarr
@jbeda
@michelleN
@msau42
@philips
@pwittrock
@quinton-hoole
@smarterclayton
@thockin
@timothysc

kubernetes-incubator/

@alex-mohr
@bgrant0607
@ConnorDoyle
@eparis
@foxish
@lavalamp
@philips
@piosz
@roberthbailey
@sarahnovotny
@smarterclayton
@spxtr
@thockin

kubernetes-client/

@bgrant0607
@lavalamp
@mbohlool

kuberbetes-csi/

@saad-ali

kubernetes-retired/

@bgrant0607
@philips
@thockin

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2018

@lavalamp

This comment has been minimized.

Copy link
Member

commented Aug 3, 2018

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2018

@lavalamp: based on your team membership in @kubernetes/kubernetes-admins, yes, you will still be able to merge to that branch, overriding any status contexts.

@vishh

This comment has been minimized.

Copy link
Member

commented Aug 3, 2018

What are the specific roles being removed as a side effect of not being an org owner?

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2018

@vishh The specific permissions that are being rolled back are detailed here:
https://github.com/kubernetes/community/blob/master/github-management/permissions.md#owner
https://help.github.com/articles/permission-levels-for-an-organization/

The highlights being inviting/removing members from the org, accessing the org audit log, creating new repos, etc.

@mbohlool

This comment has been minimized.

Copy link
Member

commented Aug 4, 2018

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 4, 2018

@mbohlool Branch manager permissions are granted through the @kubernetes/kubernetes-release-managers team, and will not be impacted by this change.

@saad-ali

This comment has been minimized.

Copy link
Member

commented Aug 6, 2018

@cblecker kuberbetes-csi is still under active development. We are still actively adding, removing, and merging repos. Removing me as an org owner may effect our velocity. We plan to go GA (stable) in Q4 or Q1. Can you please not remove my permissions until then.

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 6, 2018

@saad-ali How often do you expect to be doing this? I see one repo creation in the audit log, 28 days ago. While I understand your concern and don't want to impact velocity, this is a critical step to the project's stability and security.

Would having SLOs around responsiveness address your concern?

@saad-ali

This comment has been minimized.

Copy link
Member

commented Aug 6, 2018

Would having SLOs around responsiveness address your concern?

Yes, if we can document where to reach out to for issuing these operations and what the SLO for that process is, that would definitely help.

@saad-ali

This comment has been minimized.

Copy link
Member

commented Aug 6, 2018

As for "How often do you expect to be doing this?"

Examples of what we want to do before GA:

  • Split the drivers repo up in to separate repos for each driver.
  • Add repos for common mounting code, e.g. iscsi-common, NFS-common, etc.
@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 7, 2018

@saad-ali I've opened #2493. Would you mind having a look and letting us know if that would address your concerns?

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2018

Everyone: Please be advised that this work is beginning now. Please pardon the dust. 🚧

@cblecker

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2018

Everyone: This work is now complete! If you encounter any issues with permissions, please open an issue against https://github.com/kubernetes/org/issues

@cblecker cblecker closed this Aug 8, 2018

@timothysc

This comment has been minimized.

Copy link
Member

commented Aug 9, 2018

The execution of this item should have been more broadly communicated on the implications through steering.

How do we transfer in repos now?
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.