diff options
author | Suren A. Chilingaryan <csa@suren.me> | 2018-02-20 15:10:45 +0100 |
---|---|---|
committer | Suren A. Chilingaryan <csa@suren.me> | 2018-02-20 15:10:45 +0100 |
commit | e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe (patch) | |
tree | 3a8a420d8d26e616491f31b322a006dd2b3e0e1c /roles/ands_openshift/tasks | |
parent | 96ced00e05b50f276841a9212ae89e018de4d92d (diff) | |
download | ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.gz ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.bz2 ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.xz ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.zip |
Handling GlusterFS storage security in OpenShift containers
Diffstat (limited to 'roles/ands_openshift/tasks')
-rw-r--r-- | roles/ands_openshift/tasks/security.yml | 3 | ||||
-rw-r--r-- | roles/ands_openshift/tasks/security_resources.yml | 54 | ||||
-rw-r--r-- | roles/ands_openshift/tasks/users_resources.yml | 14 |
3 files changed, 67 insertions, 4 deletions
diff --git a/roles/ands_openshift/tasks/security.yml b/roles/ands_openshift/tasks/security.yml new file mode 100644 index 0000000..b1f017b --- /dev/null +++ b/roles/ands_openshift/tasks/security.yml @@ -0,0 +1,3 @@ +- include_tasks: security_resources.yml + run_once: true + delegate_to: "{{ groups.masters[0] }}" diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml new file mode 100644 index 0000000..5644723 --- /dev/null +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -0,0 +1,54 @@ +--- +- name: Ensure OpenShift patch directory exists + file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root + +# No spaces in patch, otherwise escaping mess... +- name: Patch group range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Patch uid range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Restrict supplementalGroups + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_gid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"supplementalGroups":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Configure runAsUser + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_uid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"runAsUser":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml index 35323cb..5bc748c 100644 --- a/roles/ands_openshift/tasks/users_resources.yml +++ b/roles/ands_openshift/tasks/users_resources.yml @@ -2,7 +2,9 @@ - name: Configure cluster roles command: "oc adm policy add-cluster-role-to-user {{ item.key.split('/')[0] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" - when: "{{ item.key.split('/') | length == 1 }}" + when: key_len == "1" + vars: + key_len: "{{ item.key.split('/') | length }}" - name: Get project list command: "oc get projects -o json" @@ -20,7 +22,9 @@ - name: Configure per project roles command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" - when: "{{ item.key.split('/') | length == 2 }}" + when: key_len == "2" + vars: + key_len: "{{ item.key.split('/') | length }}" - name: Get user list command: "oc get users -o json" @@ -31,10 +35,12 @@ set_fact: removed_users="{{ results.stdout | from_json | json_query('items[*].metadata.name') | difference(ands_openshift_users.keys()) }}" when: (results | succeeded) -- name: Create missing projects +- name: Remove user authentication command: "oc delete identity htpasswd_auth:{{ item }}" with_items: "{{ removed_users | default([]) }}" -- name: Create missing projects +- name: Remove users command: "oc delete user {{ item }}" with_items: "{{ removed_users | default([]) }}" + + |