Open spiffxp opened 3 years ago
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
/remove-lifecycle stale
/milestone v1.23
/milestone v1.24
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale /milestone clear /lifeccyle frozen
/lifecycle frozen
https://console.cloud.google.com/iam-admin/troubleshooter and
gcloud policy-troubleshoot iam
are pretty useful to figure out why someone does or does not have permissions to a specific resource. However, we lack permission to look at group membership, so this tool is really only useful for service accounts at the moment.https://cloud.google.com/iam/docs/troubleshooting-access#troubleshooting_group_membership says we need to be granted
groups.read
privilege to do this. They recommend making a custom role including just that privilege, and then assigning to a user.Since our contributors are not gsuite members, we setup (via https://github.com/kubernetes/k8s.io/issues/228):
wg-k8s-infra-api@kubernetes.io
usergsuite-groups-manager@k8s-gsuite.iam.gserviceaccount.com
service accounthttps://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account describes how to do this. I think I'd like to give
k8s-infra-gcp-auditor@kubernetes-public.iam.gserviceaccount.com
some readonly scopes to be able to use the troubleshooter. Based on my read of https://developers.google.com/admin-sdk/directory/v1/guides/authorizing..https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
/wg k8s-infra /area access /area infra/auditing /priority backlog
/committee steering /assign @dims Since I need someone with an scN@ account, and I helped dims out last time we tried getting access to the admin api