Allow troubleshooting group memberhip

[spiffxp]

https://console.cloud.google.com/iam-admin/troubleshooter and gcloud policy-troubleshoot iam are pretty useful to figure out why someone does or does not have permissions to a specific resource. However, we lack permission to look at group membership, so this tool is really only useful for service accounts at the moment.

https://cloud.google.com/iam/docs/troubleshooting-access#troubleshooting_group_membership says we need to be granted groups.read privilege to do this. They recommend making a custom role including just that privilege, and then assigning to a user.

Since our contributors are not gsuite members, we setup (via https://github.com/kubernetes/k8s.io/issues/228):

• a wg-k8s-infra-api@kubernetes.io user
• a gsuite-groups-manager@k8s-gsuite.iam.gserviceaccount.com service account
• but these both have more than readonly privileges
• and lack many other cloud roles to effectively use troubleshooter (I'd like to keep it that way)

https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account describes how to do this. I think I'd like to give k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com some readonly scopes to be able to use the troubleshooter. Based on my read of https://developers.google.com/admin-sdk/directory/v1/guides/authorizing..

• https://www.googleapis.com/auth/admin.directory.group.readonly
• https://www.googleapis.com/auth/admin.directory.group.member.readonly
• https://www.googleapis.com/auth/admin.directory.user.readonly
• https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

/wg k8s-infra /area access /area infra/auditing /priority backlog

/committee steering /assign @dims Since I need someone with an scN@ account, and I helped dims out last time we tried getting access to the admin api

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[spiffxp]

/remove-lifecycle stale

[spiffxp]

/milestone v1.23

[ameukam]

/milestone v1.24

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

/remove-lifecycle stale /milestone clear /lifeccyle frozen

[ameukam]

/lifecycle frozen