Merge pull request #2714 from spiffxp/more-groups-moves

groups: more groups moves

groups/README.md

@@ -2,7 +2,8 @@
 
 ## Making changes
 
-- Edit `groups.yaml` and `restrictions.yaml` to add a new group or update an existing group
+- Edit your SIG's `groups.yaml`, e.g. [`sig-release/groups.yaml`][/groups/sig-release/groups.yaml]
+- If adding or removing a group, edit [`restrictions.yaml`] to add or remove the group name
 - Use `make test` to ensure the changes meet conventions
 - Open a pull request
 - When the pull request merges, the [post-k8sio-groups] job will deploy the changes

groups/committee-product-security/groups.yaml

@@ -3,6 +3,14 @@
 # group is prefixed with "k8s-infra" to avoid polluting the other existing gsuite
 # mailing lists.
 groups:
+
+  #
+  # Mailing lists
+  #
+  # Each group here represents a mailing list for the SIG or its subprojects,
+  # and is not intended to govern access to infrastructure
+  #
+
   - email-id: distributors-announce@kubernetes.io
     name: distributors-announce
     description: |-
@@ -84,3 +92,41 @@ groups:
       - mhausler@amazon.com
       - tabitha.c.sable@gmail.com
       - timallclair@gmail.com
+
+  #
+  # k8s-staging write access for SIG-owned subprojects
+  #
+  # Each group here represents privileged access to a staging project,
+  # allowing the members to directly write to GCS and GCR within the
+  # project, as well as trigger Cloud Build within the project. Ideally
+  # this level access is used solely for troubleshooting purposes.
+  #
+  # Membership should correspond roughly to subproject owners for the set of
+  # subproject artifacts being stored in a given staging project
+  #
+
+
+  #
+  # k8s-infra owners for sig-owned subprojects
+  #
+  # Each group here represents highly privileged access to kubernetes project
+  # infrastructure owned or managed by this SIG. A high level of trust is
+  # required for membership in these groups.
+  #
+
+  - email-id: k8s-infra-artifact-security@kubernetes.io
+    name: k8s-infra-artifact-security
+    description: |-
+      ACL for artifact security, including things like vulnerability scans
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - security@kubernetes.io
+      - mikedanese@google.com
+      - alextc@google.com
+      - jsand@google.com
+
+  # RBAC groups:
+  # - grant access to the `namespace-user` role for a single namespace on the `aaa` cluster
+  # - must have WhoCanViewMemberShip: "ALL_MEMBERS_CAN_VIEW"
+  # - must be members of gke-security-groups@kubernetes.io

groups/groups.yaml

@@ -119,82 +119,13 @@ groups:
       - jim@nirmata.com
       - rficcaglia@gmail.com
 
-  # Every RBAC group should be added here.
-  - email-id: gke-security-groups@kubernetes.io
-    name: gke-security-groups
-    description: |-
-      Security Groups for GKE clusters
-    settings:
-      ReconcileMembers: "true"
-      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # needed for RBAC
-    members:
-      - k8s-infra-rbac-cert-manager@kubernetes.io
-      - k8s-infra-rbac-gcsweb@kubernetes.io
-      - k8s-infra-rbac-kettle@kubernetes.io
-      - k8s-infra-rbac-k8s-io-canary@kubernetes.io
-      - k8s-infra-rbac-k8s-io-prod@kubernetes.io
-      - k8s-infra-rbac-kubernetes-external-secrets@kubernetes.io
-      - k8s-infra-rbac-perfdash@kubernetes.io
-      - k8s-infra-rbac-prow@kubernetes.io
-      - k8s-infra-rbac-publishing-bot@kubernetes.io
-      - k8s-infra-rbac-triageparty-cli@kubernetes.io
-      - k8s-infra-rbac-triageparty-release@kubernetes.io
-      - k8s-infra-rbac-triageparty-scalability@kubernetes.io
-      - k8s-infra-rbac-sippy@kubernetes.io
-      - k8s-infra-rbac-slack-infra@kubernetes.io
-
-  - email-id: k8s-infra-artifact-security@kubernetes.io
-    name: k8s-infra-artifact-security
-    description: |-
-      ACL for artifact security, including things like vulnerability scans
-    settings:
-      ReconcileMembers: "true"
-    members:
-      - security@kubernetes.io
-      - mikedanese@google.com
-      - alextc@google.com
-      - jsand@google.com
-
-  #
-  # RBAC groups: k8s-infra-rbac-*
-  #
-  # Each group here governs access to one k8s namespace.
-  # RBAC groups MUST have:
-  #
-  #   settings:
-  #     WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW"
-  #
-
-  - email-id: k8s-infra-rbac-triageparty-cli@kubernetes.io
-    name: k8s-infra-rbac-triageparty-cli
-    description: |-
-      ACL for Bug Triage CLI Team
-    settings:
-      ReconcileMembers: "true"
-      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # required
-    members:
-      - eddiezane@gmail.com
-      - kn.verey@gmail.com
-      - maszulik@redhat.com
-
-  - email-id: k8s-infra-rbac-sippy@kubernetes.io
-    name: k8s-infra-rbac-sippy
-    description: |-
-      Grants access to the `namespace-user` role in the `sippy` namespace on the `aaa` cluster
-    settings:
-      ReconcileMembers: "true"
-      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # required
-    members:
-      - deads@redhat.com
-      - wojtekt@google.com
-      - skuznets@redhat.com
-
   #
   # Staging groups: k8s-infra-staging-*
   #
   # Each group here governs access to one staging project.
   #
 
+  # TODO: this subproject has been retired, decommission the subproject
   - email-id: k8s-infra-staging-bootkube@kubernetes.io
     name: k8s-infra-staging-bootkube
     description: |-
@@ -205,6 +136,8 @@ groups:
       - andrew@andrewrynhard.com
       - rahul@rmenn.in
 
+  # TODO: which SIG is responsible for ensuring this component of the
+  #       kubernetes release is kept up to date?
   - email-id: k8s-infra-staging-coredns@kubernetes.io
     name: k8s-infra-staging-coredns
     description: |-
@@ -218,6 +151,8 @@ groups:
       - jbelamaric@google.com
       - cohaver@infoblox.com
 
+  # TODO: which SIG is responsible for ensuring this component of the
+  #       kubernetes release is kept up to date?
   - email-id: k8s-infra-staging-etcd@kubernetes.io
     name: k8s-infra-staging-etcd
     description: |-
@@ -230,22 +165,7 @@ groups:
       - jingyih@google.com
       - yczhou@google.com
 
-  - email-id: k8s-infra-staging-multitenancy@kubernetes.io
-    name: k8s-infra-staging-multitenancy
-    description: |-
-      ACL for Multitenancy WG
-    settings:
-      ReconcileMembers: "true"
-    members:
-      - aludwin@google.com
-      - f.guo@alibaba-inc.com
-      - kevin.fox@pnnl.gov
-      - laetitiah@google.com
-      - ryan.j.bezdicek@gmail.com
-      - srampal@cisco.com
-      - tasha.drew@gmail.com
-      - srajakum@amazon.com
-
+  # TODO: this has never been used, decommission the subproject
   - email-id: k8s-infra-staging-txtdirect@kubernetes.io
     name: k8s-infra-staging-txtdirect
     description: |-
@@ -254,17 +174,3 @@ groups:
       ReconcileMembers: "true"
     members:
       - michaelg@okkur.org
-
-  - email-id: k8s-infra-ii-coop@kubernetes.io
-    name: k8s-infra-ii-coop
-    description: |-
-      ACL for II Coop
-    settings:
-      ReconcileMembers: "true"
-    members:
-      - bb@ii.coop
-      - caleb@ii.coop
-      - hh@ii.coop
-      - riaan@ii.coop
-      - stephen@ii.coop
-      - zz@ii.coop

groups/restrictions.yaml

@@ -7,6 +7,7 @@ restrictions:
       - "^distributors-announce@kubernetes.io$"
       - "^security@kubernetes.io$"
       - "^security-discuss-private@kubernetes.io$"
+      - "^k8s-infra-artifact-security@kubernetes.io$"
   - path: "committee-steering/groups.yaml"
     allowedGroups:
       - "^steering-private@kubernetes.io$"
@@ -15,16 +16,10 @@ restrictions:
   - path: "groups.yaml"
     allowedGroups:
       - "^leads@kubernetes.io$"
-      - "^gke-security-groups@kubernetes.io$"
-      - "^k8s-infra-artifact-security@kubernetes.io$"
-      - "^k8s-infra-rbac-triageparty-cli@kubernetes.io$"
-      - "^k8s-infra-rbac-sippy@kubernetes.io$"
       - "^k8s-infra-staging-bootkube@kubernetes.io$"
       - "^k8s-infra-staging-coredns@kubernetes.io$"
       - "^k8s-infra-staging-etcd@kubernetes.io$"
-      - "^k8s-infra-staging-multitenancy@kubernetes.io$"
       - "^k8s-infra-staging-txtdirect@kubernetes.io$"
-      - "^k8s-infra-ii-coop@kubernetes.io$"
   - path: "sig-api-machinery/groups.yaml"
     allowedGroups:
       - "^k8s-infra-staging-storage-migrator@kubernetes.io$"
@@ -41,15 +36,18 @@ restrictions:
       - "^k8s-infra-conform-s390x-k8s@kubernetes.io$"
       - "^k8s-infra-staging-apisnoop@kubernetes.io$"
       - "^k8s-infra-code-organization@kubernetes.io$"
+      - "^k8s-infra-rbac-sippy@kubernetes.io$"
   - path: "sig-auth/groups.yaml"
     allowedGroups:
       - "^k8s-infra-staging-csi-secrets-store@kubernetes.io$"
+      - "^k8s-infra-staging-multitenancy@kubernetes.io$"
   - path: "sig-autoscaling/groups.yaml"
     allowedGroups:
       - "^k8s-infra-staging-autoscaling@kubernetes.io$"
   - path: "sig-cli/groups.yaml"
     allowedGroups:
       - "^k8s-infra-staging-kustomize@kubernetes.io$"
+      - "^k8s-infra-rbac-triageparty-cli@kubernetes.io$"
   - path: "sig-cloud-provider/groups.yaml"
     allowedGroups:
       - "^k8s-infra-staging-provider-aws@kubernetes.io$"
@@ -178,6 +176,7 @@ restrictions:
       - "^k8s-infra-rbac-prow@kubernetes.io$"
   - path: "wg-k8s-infra/groups.yaml"
     allowedGroups:
+      - "^gke-security-groups@kubernetes.io$"
       - "^k8s-infra-alerts@kubernetes.io$"
       - "^k8s-infra-team-private@kubernetes.io$"
       - "^wg-k8s-infra-leads@kubernetes.io$"
@@ -196,4 +195,5 @@ restrictions:
       - "^k8s-infra-rbac-k8s-io-prod@kubernetes.io$"
       - "^k8s-infra-rbac-kubernetes-external-secrets@kubernetes.io$"
       - "^k8s-infra-staging-infra-tools@kubernetes.io$"
+      - "^k8s-infra-ii-coop@kubernetes.io$"
   - path: "**/*" # prevent any other file from containing anything

groups/sig-architecture/groups.yaml

@@ -70,6 +70,17 @@ groups:
   # - must have WhoCanViewMemberShip: "ALL_MEMBERS_CAN_VIEW"
   # - must be members of gke-security-groups@kubernetes.io
 
+  - email-id: k8s-infra-rbac-sippy@kubernetes.io
+    name: k8s-infra-rbac-sippy
+    description: |-
+      Grants access to the `namespace-user` role in the `sippy` namespace on the `aaa` cluster
+    settings:
+      ReconcileMembers: "true"
+      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # required
+    members:
+      - deads@redhat.com
+      - wojtekt@google.com
+      - skuznets@redhat.com
 
   #
   # k8s-infra-conform gcs write access

groups/sig-auth/groups.yaml

@@ -30,6 +30,23 @@ groups:
       - rita.z.zhang@gmail.com
       - tommymurphy@google.com
 
+  - email-id: k8s-infra-staging-multitenancy@kubernetes.io
+    name: k8s-infra-staging-multitenancy
+    description: |-
+      ACL for multitenancy WG driven subprojects such as multi-tenancy and
+      hierachical-namespace-controller
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - aludwin@google.com
+      - f.guo@alibaba-inc.com
+      - kevin.fox@pnnl.gov
+      - laetitiah@google.com
+      - ryan.j.bezdicek@gmail.com
+      - srampal@cisco.com
+      - tasha.drew@gmail.com
+      - srajakum@amazon.com
+
   #
   # k8s-infra gcs write access
   #

groups/sig-cli/groups.yaml

@@ -57,3 +57,15 @@ groups:
   # - grant access to the `namespace-user` role for a single namespace on the `aaa` cluster
   # - must have WhoCanViewMemberShip: "ALL_MEMBERS_CAN_VIEW"
   # - must be members of gke-security-groups@kubernetes.io
+
+  - email-id: k8s-infra-rbac-triageparty-cli@kubernetes.io
+    name: k8s-infra-rbac-triageparty-cli
+    description: |-
+      ACL for Bug Triage CLI Team
+    settings:
+      ReconcileMembers: "true"
+      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # required
+    members:
+      - eddiezane@gmail.com
+      - kn.verey@gmail.com
+      - maszulik@redhat.com

groups/wg-k8s-infra/groups.yaml

@@ -92,6 +92,45 @@ groups:
   # required for membership in these groups.
   #
 
+  # Every RBAC group should be added here.
+  - email-id: gke-security-groups@kubernetes.io
+    name: gke-security-groups
+    description: |-
+      Security Groups for GKE clusters
+    settings:
+      ReconcileMembers: "true"
+      WhoCanViewMembership: "ALL_MEMBERS_CAN_VIEW" # needed for RBAC
+    members:
+      - k8s-infra-rbac-cert-manager@kubernetes.io
+      - k8s-infra-rbac-gcsweb@kubernetes.io
+      - k8s-infra-rbac-kettle@kubernetes.io
+      - k8s-infra-rbac-k8s-io-canary@kubernetes.io
+      - k8s-infra-rbac-k8s-io-prod@kubernetes.io
+      - k8s-infra-rbac-kubernetes-external-secrets@kubernetes.io
+      - k8s-infra-rbac-perfdash@kubernetes.io
+      - k8s-infra-rbac-prow@kubernetes.io
+      - k8s-infra-rbac-publishing-bot@kubernetes.io
+      - k8s-infra-rbac-triageparty-cli@kubernetes.io
+      - k8s-infra-rbac-triageparty-release@kubernetes.io
+      - k8s-infra-rbac-triageparty-scalability@kubernetes.io
+      - k8s-infra-rbac-sippy@kubernetes.io
+      - k8s-infra-rbac-slack-infra@kubernetes.io
+
+  # owners of the k8s-infra-ii-sandbox project, working on billing analysis
+  # for artifact hosting and registry.k8s.io
+  - email-id: k8s-infra-ii-coop@kubernetes.io
+    name: k8s-infra-ii-coop
+    description: |-
+      ACL for II Coop
+    settings:
+      ReconcileMembers: "true"
+    members:
+      - bb@ii.coop
+      - caleb@ii.coop
+      - hh@ii.coop
+      - riaan@ii.coop
+      - stephen@ii.coop
+      - zz@ii.coop
 
   # RBAC groups:
   # - grant access to the `namespace-user` role for a single namespace on the `aaa` cluster

k8s.gcr.io/README.md

@@ -15,10 +15,11 @@ to promote images to the main serving repository.
 
 ### Creating staging repos
 
-1. Create a google group for granting push access by adding an email
-alias for it in [groups.yaml] and [restrictions.yaml]. The email alias should be of the form
-`k8s-infra-staging-<project-name>@kubernetes.io`. The project name
-can have a maximum of 18 characters.
+1. Create a google group for granting push access by adding an entry in your
+SIG's groups.yaml, e.g. [sig-release/groups.yaml][/groups/sig-release/groups.yaml],
+as well as an entry in [restrictions.yaml]. The group name should be of the form
+`k8s-infra-staging-<project-name>`. The project name has a max length of 18
+characters.
 
 2. Create 3 files:
     - `images/k8s-staging-<project-name>/OWNERS`
@@ -85,7 +86,6 @@ Essentially, in order to get images published to a production repo, you have to
 use the image promotion (PR creation) process defined above.
 
 [image-pushing-readme]: https://git.k8s.io/test-infra/config/jobs/image-pushing/README.md
-[groups.yaml]: /groups/groups.yaml
 [restrictions.yaml]: /groups/restrictions.yaml
 [infra.yaml]: /infra/gcp/infra.yaml
 [staging-bash]: /infra/gcp/bash/ensure-staging-storage.sh