From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001
From: "Suren A. Chilingaryan" <csa@suren.me>
Date: Tue, 20 Feb 2018 15:10:45 +0100
Subject: Handling GlusterFS storage security in OpenShift containers

---
 roles/ands_openshift/tasks/security.yml           |  3 ++
 roles/ands_openshift/tasks/security_resources.yml | 54 +++++++++++++++++++++++
 roles/ands_openshift/tasks/users_resources.yml    | 14 ++++--
 3 files changed, 67 insertions(+), 4 deletions(-)
 create mode 100644 roles/ands_openshift/tasks/security.yml
 create mode 100644 roles/ands_openshift/tasks/security_resources.yml

(limited to 'roles/ands_openshift/tasks')

diff --git a/roles/ands_openshift/tasks/security.yml b/roles/ands_openshift/tasks/security.yml
new file mode 100644
index 0000000..b1f017b
--- /dev/null
+++ b/roles/ands_openshift/tasks/security.yml
@@ -0,0 +1,3 @@
+- include_tasks: security_resources.yml
+  run_once: true
+  delegate_to: "{{ groups.masters[0] }}"
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
new file mode 100644
index 0000000..5644723
--- /dev/null
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure OpenShift patch directory exists
+  file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
+
+# No spaces in patch, otherwise escaping mess...
+- name: Patch group range in project configuration
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "ns/{{ prj_item }}"
+    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Patch uid range in project configuration
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "ns/{{ prj_item }}"
+    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Restrict supplementalGroups
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "scc/restricted"
+    modes: "{{ ands_openshift_gid_mode | default({}) }}"
+    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+    patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  when: mode != false
+  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
+
+- name: Configure runAsUser
+  include_role: name="openshift_resource" tasks_from="patch.yml" 
+  vars:
+    project: "{{ prj_item }}" 
+    resource: "scc/restricted"
+    modes: "{{ ands_openshift_uid_mode | default({}) }}"
+    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+    patch: '{"runAsUser":{"type":"{{mode}}"}}'
+    patch_path: "{{ ands_openshift_patch_path }}"
+  when: mode != false
+  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+  loop_control: 
+    loop_var: prj_item
diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml
index 35323cb..5bc748c 100644
--- a/roles/ands_openshift/tasks/users_resources.yml
+++ b/roles/ands_openshift/tasks/users_resources.yml
@@ -2,7 +2,9 @@
 - name: Configure cluster roles
   command: "oc adm policy add-cluster-role-to-user {{  item.key.split('/')[0] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
   with_dict: "{{ ands_openshift_roles }}"
-  when: "{{ item.key.split('/') | length == 1 }}"
+  when: key_len == "1"
+  vars:
+    key_len: "{{ item.key.split('/') | length }}"
 
 - name: Get project list
   command: "oc get projects -o json"
@@ -20,7 +22,9 @@
 - name: Configure per project roles
   command: "oc adm policy add-role-to-user -n {{  item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
   with_dict: "{{ ands_openshift_roles }}"
-  when: "{{ item.key.split('/') | length == 2 }}"
+  when: key_len == "2"
+  vars:
+    key_len: "{{ item.key.split('/') | length }}"
 
 - name: Get user list
   command: "oc get users -o json"
@@ -31,10 +35,12 @@
   set_fact: removed_users="{{ results.stdout | from_json | json_query('items[*].metadata.name') | difference(ands_openshift_users.keys()) }}"
   when: (results | succeeded)
 
-- name: Create missing projects
+- name: Remove user authentication
   command: "oc delete identity htpasswd_auth:{{ item }}"
   with_items: "{{ removed_users | default([]) }}"
 
-- name: Create missing projects
+- name: Remove users
   command: "oc delete user {{ item }}"
   with_items: "{{ removed_users | default([]) }}"
+
+
-- 
cgit v1.2.3