From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001
From: "Suren A. Chilingaryan" <csa@suren.me>
Date: Tue, 20 Feb 2018 15:10:45 +0100
Subject: Handling GlusterFS storage security in OpenShift containers

---
 roles/ands_openshift/tasks/security_resources.yml | 54 +++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 roles/ands_openshift/tasks/security_resources.yml

(limited to 'roles/ands_openshift/tasks/security_resources.yml')

diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
new file mode 100644
index 0000000..5644723
--- /dev/null
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure OpenShift patch directory exists
+  file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
+
+# No spaces in patch, otherwise escaping mess...
+- name: Patch group range in project configuration
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "ns/{{ prj_item }}"
+    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Patch uid range in project configuration
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "ns/{{ prj_item }}"
+    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Restrict supplementalGroups
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "scc/restricted"
+    modes: "{{ ands_openshift_gid_mode | default({}) }}"
+    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+    patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  when: mode != false
+  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Configure runAsUser
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "scc/restricted"
+    modes: "{{ ands_openshift_uid_mode | default({}) }}"
+    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+    patch: '{"runAsUser":{"type":"{{mode}}"}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  when: mode != false
+  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
-- 
cgit v1.2.3