From 1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Wed, 28 Feb 2018 23:46:55 +0100 Subject: First running prototype --- roles/ands_openshift/tasks/security_resources.yml | 36 +++++++++-------------- roles/ands_openshift/tasks/storage_resources.yml | 7 +++-- roles/ands_openshift/tasks/users_resources.yml | 8 +++++ 3 files changed, 27 insertions(+), 24 deletions(-) (limited to 'roles/ands_openshift/tasks') diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml index 5644723..5b80f1e 100644 --- a/roles/ands_openshift/tasks/security_resources.yml +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -6,49 +6,41 @@ - name: Patch group range in project configuration include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ prj_item }}" - resource: "ns/{{ prj_item }}" - patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}' + project: "{{ item.key }}" + resource: "ns/{{ item.key }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}' patch_path: "{{ ands_openshift_patch_path }}" - with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}" - loop_control: - loop_var: prj_item + with_dict: "{{ ands_openshift_gid_ranges | default({}) }}" - name: Patch uid range in project configuration include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ prj_item }}" - resource: "ns/{{ prj_item }}" - patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}' + project: "{{ item.key }}" + resource: "ns/{{ item.key }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}' patch_path: "{{ ands_openshift_patch_path }}" - with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}" - loop_control: - loop_var: prj_item + with_dict: "{{ ands_openshift_uid_ranges | default({}) }}" - name: Restrict supplementalGroups include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ prj_item }}" + project: "{{ item.key }}" resource: "scc/restricted" modes: "{{ ands_openshift_gid_mode | default({}) }}" - mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" patch: '{"supplementalGroups":{"type":"{{mode}}"}}' patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_items: "{{ (ands_openshift_projects | default({})).keys() }}" - loop_control: - loop_var: prj_item + with_dict: "{{ ands_openshift_projects | default({}) }}" - name: Configure runAsUser include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ prj_item }}" + project: "{{ item.key }}" resource: "scc/restricted" modes: "{{ ands_openshift_uid_mode | default({}) }}" - mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" patch: '{"runAsUser":{"type":"{{mode}}"}}' patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_items: "{{ (ands_openshift_projects | default({})).keys() }}" - loop_control: - loop_var: prj_item + with_dict: "{{ ands_openshift_projects | default({}) }}" diff --git a/roles/ands_openshift/tasks/storage_resources.yml b/roles/ands_openshift/tasks/storage_resources.yml index 5adf69e..c83c677 100644 --- a/roles/ands_openshift/tasks/storage_resources.yml +++ b/roles/ands_openshift/tasks/storage_resources.yml @@ -13,7 +13,7 @@ template_path: "{{ storage_template_path }}" project: "{{ prj_item }}" recreate: "{{ result | changed | ternary (true, false) }}" - with_items: "{{ ands_openshift_projects.keys() | union(['default']) }}" + with_items: "{{ ands_openshift_projects.keys() }}" loop_control: loop_var: prj_item @@ -28,6 +28,9 @@ template_path: "{{ storage_template_path }}" project: "{{ prj_item }}" recreate: "{{ result | changed | ternary (true, false) }}" - with_items: "{{ ands_openshift_projects.keys() | union(['default']) }}" + with_items: "{{ ands_openshift_projects.keys() }}" loop_control: loop_var: prj_item + + + \ No newline at end of file diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml index 5bc748c..722e1eb 100644 --- a/roles/ands_openshift/tasks/users_resources.yml +++ b/roles/ands_openshift/tasks/users_resources.yml @@ -19,6 +19,14 @@ command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}" with_items: "{{ new_projects | default([]) }}" +- name: Allow projects to pull images from KaaS imagestreams + command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas" + with_items: "{{ ands_openshift_projects.keys() }}" + when: + prj_item != "kaas" + loop_control: + loop_var: prj_item + - name: Configure per project roles command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" -- cgit v1.2.3