Skip to content

Commit 2353126

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#2697 from spiffxp/rm-containeranalysis-service-agent
bash/staging: remove containeranalysis service agent binding
2 parents 8b4b4ce + 8b1c54e commit 2353126

File tree

1 file changed

+29
-1
lines changed

1 file changed

+29
-1
lines changed

infra/gcp/bash/ensure-staging-storage.sh

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,9 @@ readonly STAGING_PROJECT_SERVICES=(
7373
)
7474

7575
readonly STAGING_PROJECT_DISABLED_SERVICES=(
76-
# Disabling per https://github.com/kubernetes/k8s.io/issues/1963
76+
# Disabled per https://github.com/kubernetes/k8s.io/issues/1963
77+
containeranalysis.googleapis.com
78+
# Disabled per https://github.com/kubernetes/k8s.io/issues/1963
7779
containerscanning.googleapis.com
7880
)
7981

@@ -143,6 +145,10 @@ function ensure_staging_project() {
143145
color 6 "Ensuring disabled services for staging project: ${project}"
144146
ensure_disabled_services "${project}" "${STAGING_PROJECT_DISABLED_SERVICES[@]}"
145147

148+
# TODO(spiffxp): remove when binding has been removed
149+
color 6 "Ensuring containeranalysis service agent binding removed for staging project: ${project}"
150+
ensure_removed_containeranalysis_serviceagent "${project}"
151+
146152
# Enable image promoter access to vulnerability scanning results
147153
color 6 "Ensuring ${cip_principal} can view vulnernability scanning results for project: ${project}"
148154
ensure_project_role_binding "${project}" "${cip_principal}" "roles/containeranalysis.occurrences.viewer"
@@ -318,6 +324,28 @@ function ensure_staging_gcb_builder_service_account() {
318324
"${sa_email}"
319325
}
320326

327+
# Ensures the containeranalysis service agent iam binding has been removed
328+
# from the given project (as well as any other members that happen to have
329+
# the service agent role)
330+
#
331+
# $1: The project name
332+
function ensure_removed_containeranalysis_serviceagent() {
333+
if [ $# != 1 ] || [ -z "$1" ]; then
334+
echo "${FUNCNAME[0]}(project) requires 2 arguments" >&2
335+
return 1
336+
fi
337+
local project="$1"
338+
local role="roles/containeranalysis.ServiceAgent"
339+
340+
gcloud projects get-iam-policy "${project}" > "${TMPDIR}/iam.yaml"
341+
mapfile -t members < <(
342+
<"${TMPDIR}/iam.yaml" yq -r ".bindings | map(select(.role==\"${role}\").members) | flatten | .[]"
343+
)
344+
for member in "${members[@]}"; do
345+
ensure_removed_project_role_binding "${project}" "${member}" "${role}"
346+
done
347+
}
348+
321349
#
322350
# Special cases
323351
#

0 commit comments

Comments
 (0)