Skip to content

Add a new kubernetes-security-ci-logs bucket#9299

Merged
k8s-ci-robot merged 1 commit intokubernetes:mainfrom
xmudrii:k8s-sec-bucket
Apr 9, 2026
Merged

Add a new kubernetes-security-ci-logs bucket#9299
k8s-ci-robot merged 1 commit intokubernetes:mainfrom
xmudrii:k8s-sec-bucket

Conversation

@xmudrii
Copy link
Copy Markdown
Member

@xmudrii xmudrii commented Apr 7, 2026
edited
Loading

This PR creates a new bucket called k8s-security-ci-logs that will be used for storing logs for jobs that are running in the kubernetes-security organization.

The access to this bucket is granted to:

  • SIG K8s Infra Leads
  • Prow Oncall (currently unstaffed)
  • Prow control plane

The log retention is 14 days (instead of 90 days for the non-security bucket), but this can be adjusted further if needed.

Other needed components will be created in a follow up PR.

/assign @upodroid
cc @Vyom-Yadav

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 7, 2026
@k8s-ci-robot k8s-ci-robot requested review from GenPage and hakman April 7, 2026 08:38
@k8s-ci-robot k8s-ci-robot added area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Apr 7, 2026
xmudrii
xmudrii commented Apr 7, 2026
View reviewed changes
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@xmudrii
Copy link
Copy Markdown
Member Author

xmudrii commented Apr 7, 2026

atlantis plan

@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot k8s-infra-ci-robot mentioned this pull request Apr 7, 2026
Merged
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 9, 2026
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 9, 2026
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 9, 2026
@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@upodroid
Copy link
Copy Markdown
Member

upodroid commented Apr 9, 2026

atlantis apply

@k8s-infra-ci-robot

This comment has been minimized.

Sign in to view
@xmudrii
Add a new kubernetes-security-ci-logs bucket
d73a4af 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@k8s-infra-ci-robot
Copy link
Copy Markdown
Contributor

k8s-infra-ci-robot commented Apr 9, 2026

Ran Plan for dir: infra/gcp/terraform/k8s-infra-prow workspace: default

Show Output 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place

Terraform will perform the following actions:

  # google_iam_workload_identity_pool_provider.s390x will be updated in-place
~ resource "google_iam_workload_identity_pool_provider" "s390x" {
        id                                 = "projects/k8s-infra-prow/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x"
        name                               = "projects/16065310909/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x"
        # (9 unchanged attributes hidden)

      ~ oidc {
          ~ jwks_json         = jsonencode( # whitespace changes
                {
                    keys = [
                        {
                            alg = "RS256"
                            e   = "AQAB"
                            kid = "pW5IxvjkcZZfO3wT4fj_DPsrl_-CEsl_NxYrDWN0q0w"
                            kty = "RSA"
                            n   = "lwAa1E91aQRA23MQ6AoSDIrxDqJVVVYrKicKc_xhvuIrjarK5-Oz7NDitY9xcHHhF1TK3RbQErQEFjzudb-AEuDqJCLGJuKj0dPyPDwiRUgU6mbC5U0e2z0k0IPnIe__53ty1N2s6SY_Ra1PBppXKp53OhUj62UqZhRs606fnk2aCO-MMNNJ-hkj2kht36cMhU-xQzIBrFVbohSJ6Y1_6ATOIa8F8ExyVoPIJmM0-9VEdMVQKpWu1zzjUxz0R1VHmCMT2YpAnZ-TVe_4rfOGHyCQNaMOKwh6cKy17QD1gTCPQZQTkSW2HnA8m5tB0LS5cbhzscBvdvprzWSnc1ZnUQ"
                            use = "sig"
                        },
                    ]
                }
            )
            # (2 unchanged attributes hidden)
        }
    }

  # module.prow_security_bucket.google_storage_bucket.bucket will be created
+ resource "google_storage_bucket" "bucket" {
      + effective_labels            = {
          + "goog-terraform-provisioned" = "true"
        }
      + force_destroy               = false
      + id                          = (known after apply)
      + location                    = "US-CENTRAL1"
      + name                        = "k8s-security-ci-logs"
      + project                     = "k8s-infra-prow"
      + project_number              = (known after apply)
      + public_access_prevention    = "inherited"
      + rpo                         = (known after apply)
      + self_link                   = (known after apply)
      + storage_class               = "STANDARD"
      + terraform_labels            = {
          + "goog-terraform-provisioned" = "true"
        }
      + time_created                = (known after apply)
      + uniform_bucket_level_access = true
      + updated                     = (known after apply)
      + url                         = (known after apply)

      + autoclass {
          + enabled                = false
          + terminal_storage_class = (known after apply)
        }

      + hierarchical_namespace {
          + enabled = false
        }

      + lifecycle_rule {
          + action {
              + type          = "Delete"
                # (1 unchanged attribute hidden)
            }
          + condition {
              + age                    = 14
              + matches_prefix         = []
              + matches_storage_class  = []
              + matches_suffix         = []
              + with_state             = "ANY"
                # (3 unchanged attributes hidden)
            }
        }

      + soft_delete_policy {
          + effective_time             = (known after apply)
          + retention_duration_seconds = 604800
        }

      + versioning {
          + enabled = true
        }

      + website (known after apply)
    }

  # module.prow_security_bucket.google_storage_bucket_iam_member.members["roles/storage.objectAdmin serviceAccount:prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com"] will be created
+ resource "google_storage_bucket_iam_member" "members" {
      + bucket = "k8s-security-ci-logs"
      + etag   = (known after apply)
      + id     = (known after apply)
      + member = "serviceAccount:prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com"
      + role   = "roles/storage.objectAdmin"
    }

Plan: 2 to add, 1 to change, 0 to destroy.
  • ▶️ To apply this plan, comment: 
    atlantis apply -d infra/gcp/terraform/k8s-infra-prow
  • 🚮 To delete this plan and lock, click here
  • 🔁 To plan this project again, comment: 
    atlantis plan -d infra/gcp/terraform/k8s-infra-prow

Plan: 2 to add, 1 to change, 0 to destroy.

  • ⏩ To apply all unapplied plans from this Pull Request, comment: 
    atlantis apply
  • 🚮 To delete all plans and locks from this Pull Request, comment: 
    atlantis unlock

@xmudrii
Copy link
Copy Markdown
Member Author

xmudrii commented Apr 9, 2026

atlantis apply

@k8s-infra-ci-robot
Copy link
Copy Markdown
Contributor

k8s-infra-ci-robot commented Apr 9, 2026

Ran Apply for dir: infra/gcp/terraform/k8s-infra-prow workspace: default

google_iam_workload_identity_pool_provider.s390x: Modifying... [id=projects/k8s-infra-prow/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x]
module.prow_security_bucket.google_storage_bucket.bucket: Creating...
module.prow_security_bucket.google_storage_bucket.bucket: Creation complete after 1s [id=k8s-security-ci-logs]
module.prow_security_bucket.google_storage_bucket_iam_member.members["roles/storage.objectAdmin serviceAccount:prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com"]: Creating...
module.prow_security_bucket.google_storage_bucket_iam_member.members["roles/storage.objectAdmin serviceAccount:prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com"]: Creation complete after 3s [id=b/k8s-security-ci-logs/roles/storage.objectAdmin/serviceAccount:prow-control-plane@k8s-infra-prow.iam.gserviceaccount.com]
google_iam_workload_identity_pool_provider.s390x: Still modifying... [id=projects/k8s-infra-prow/locations/globa...tityPools/ibm-clusters/providers/s390x, 10s elapsed]
google_iam_workload_identity_pool_provider.s390x: Modifications complete after 10s [id=projects/k8s-infra-prow/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x]

Apply complete! Resources: 2 added, 1 changed, 0 destroyed.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 9, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 9, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 6ad4027 into kubernetes:main Apr 9, 2026
7 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.36 milestone Apr 9, 2026
@k8s-infra-ci-robot
Copy link
Copy Markdown
Contributor

k8s-infra-ci-robot commented Apr 9, 2026

Locks and plans deleted for the projects and workspaces modified in this pull request:

  • dir: infra/gcp/terraform/k8s-infra-prow workspace: default

@xmudrii xmudrii deleted the k8s-sec-bucket branch April 9, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@upodroid upodroid upodroid approved these changes

@GenPage GenPage Awaiting requested review from GenPage

@hakman hakman Awaiting requested review from hakman

+1 more reviewer

@Vyom-Yadav Vyom-Yadav Vyom-Yadav left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@upodroid upodroid

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/infra/gcp Issues or PRs related to Kubernetes GCP infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ area/terraform Terraform modules, testing them, writing more of them, code in infra/gcp/clusters/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

v1.36

Development

Successfully merging this pull request may close these issues.

5 participants

@xmudrii @k8s-infra-ci-robot @upodroid @k8s-ci-robot @Vyom-Yadav