From f6496f2d66fd42a9d618cef04890e0db9ff9ac48 Mon Sep 17 00:00:00 2001 From: Mahamed Date: Thu, 13 Oct 2022 10:42:53 +0100 Subject: [PATCH] fix tesgrid permissions (#3569) --- infra/gcp/tests/iam.tf | 19 ++++--------------- infra/gcp/tests/prow.tf | 3 +++ 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/infra/gcp/tests/iam.tf b/infra/gcp/tests/iam.tf index b1556f40530..53a91c0c319 100644 --- a/infra/gcp/tests/iam.tf +++ b/infra/gcp/tests/iam.tf @@ -21,16 +21,6 @@ module "iam" { "serviceAccount:prow-deployer@knative-tests.iam.gserviceaccount.com", ] - "roles/container.clusterAdmin" = [ - ], - - "roles/iam.serviceAccountTokenCreator" = [ - ], - - "roles/iam.serviceAccountUser" : [ - ], - - "roles/logging.logWriter" = [ "serviceAccount:${google_service_account.gke_nodes.email}", ] @@ -44,17 +34,16 @@ module "iam" { "serviceAccount:${google_service_account.grafana.email}", ] + "roles/owner" = [ + "group:cloud-kubernetes-engprod-oncall@twosync.google.com", # Google OSS Kubernetes oncall team + ] + "roles/pubsub.editor" : [ "serviceAccount:prow-control-plane@knative-tests.iam.gserviceaccount.com" ], "roles/secretmanager.secretAccessor" : [ "serviceAccount:kubernetes-external-secrets-sa@knative-tests.iam.gserviceaccount.com", - "serviceAccount:prow-deployer@knative-tests.iam.gserviceaccount.com" - ], - - "roles/secretmanager.viewer" : [ - "serviceAccount:kubernetes-external-secrets-sa@knative-tests.iam.gserviceaccount.com" ], "roles/stackdriver.resourceMetadata.writer" = [ diff --git a/infra/gcp/tests/prow.tf b/infra/gcp/tests/prow.tf index 86c1dc47f1c..ced14528fcf 100644 --- a/infra/gcp/tests/prow.tf +++ b/infra/gcp/tests/prow.tf @@ -111,6 +111,9 @@ resource "google_service_account_iam_binding" "testgrid_updater" { members = [ "serviceAccount:knative-tests.svc.id.goog[test-pods/testgrid-updater]", + "serviceAccount:k8s-testgrid.svc.id.goog[knative/summarizer]", + "serviceAccount:k8s-testgrid.svc.id.goog[knative/tabulator]", + "serviceAccount:k8s-testgrid.svc.id.goog[knative/updater]", ] }