Use dedicated cve-feed-maintainers group for CVE feed bucket

[Pnkcaht]

What this PR does

This PR completes the separation of duties for the Kubernetes CVE feed by introducing a dedicated maintainer group and aligning all related infrastructure references.

Specifically, it:

• Replaces security-tooling-private@kubernetes.io with cve-feed-maintainers@kubernetes.io as the owner group for the k8s-cve-feed GCS bucket
• Updates Terraform configuration to reference the new dedicated group
• Updates the audited IAM policy to remain fully consistent with the Terraform configuration
• Preserves all existing roles, legacy bindings, and service account permissions (no permission changes)

This ensures CVE feed alerts and access are scoped only to the appropriate maintainers while keeping prow-oncall and automation unchanged.

Related Issue

• Fixes #149

[k8s-ci-robot]

Welcome @Pnkcaht!

It looks like this is your first PR to kubernetes/k8s.io 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/k8s.io has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @Pnkcaht. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[PushkarJ]

/ok-to-test
/sig security

[PushkarJ]

/lgtm
/assign genpage

[xmudrii]

My understanding is that the key issue is that the project is inaccessible (kubernetes/sig-security#149 (comment)). I don't think this is going to be fixed by this PR. I think that @tabbysable is correct that nested group membership is not supported, we usually add everyone to each group instead.

[xmudrii]

I don't think audit files are supposed to be changed manually, but someone from @kubernetes/sig-k8s-infra-leads can correct me if I'm wrong.

[Pnkcaht]

Sure, I don't judge

[xmudrii]

We need to somehow apply this, @upodroid can we use Atlantis for this?

[Pnkcaht]

I'll wait for his response, but in any case, depending on what it is, just let me know and I'll do it right away.

[upodroid]

Please undo the change to iam.json

[upodroid]

atlantis plan

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Pnkcaht
Once this PR has been reviewed and has the lgtm label, please ask for approval from genpage. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• audit/OWNERS
• infra/gcp/terraform/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-infra-ci-robot]

Error: User @Pnkcaht does not have permissions to execute 'plan' command.

[Pnkcaht]

@upodroid I applied the change and reverted the code, doing what you asked. Anyway, thank you, I understand you guys, especially since I don't yet have the "credibility" to handle highly sensitive projects. I'm an active Docker contributor, so I deal with the infrastructure directly and I'm somewhat used to it :) Thanks friend

[upodroid]

atlantis plan

[k8s-infra-ci-robot]

Ran Plan for dir: infra/gcp/terraform/kubernetes-public workspace: default

Plan Error

Show Output

running 'sh -c' '/usr/local/bin/terraform1.10.5 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/9081/default/infra/gcp/terraform/kubernetes-public': exit status 1
Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Upgrading modules...
- aaa_kettle_sa in ../modules/workload-identity-service-account
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 11.1.2 for datadog_bucket...
- datadog_bucket in .terraform/modules/datadog_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/kms/google 4.1.2 for datadog_bucket.encryption_key...
- datadog_bucket.encryption_key in .terraform/modules/datadog_bucket.encryption_key
Downloading registry.terraform.io/terraform-google-modules/iam/google 8.2.0 for iam...
- iam in .terraform/modules/iam/modules/projects_iam
- iam.helper in .terraform/modules/iam/modules/helper
╷
│ Error: Unexpected "data" block
│ 
│   on k8s-cve-feed.tf line 27, in locals:
│   27: data "google_service_account" "k8s_cve_feed_sa" {
│ 
│ Blocks are not allowed here.
╵