From e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Tue, 20 Feb 2018 15:10:45 +0100 Subject: Handling GlusterFS storage security in OpenShift containers --- roles/ands_openshift/tasks/security.yml | 3 ++ roles/ands_openshift/tasks/security_resources.yml | 54 +++++++++++++++++++++++ roles/ands_openshift/tasks/users_resources.yml | 14 ++++-- 3 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 roles/ands_openshift/tasks/security.yml create mode 100644 roles/ands_openshift/tasks/security_resources.yml (limited to 'roles/ands_openshift/tasks') diff --git a/roles/ands_openshift/tasks/security.yml b/roles/ands_openshift/tasks/security.yml new file mode 100644 index 0000000..b1f017b --- /dev/null +++ b/roles/ands_openshift/tasks/security.yml @@ -0,0 +1,3 @@ +- include_tasks: security_resources.yml + run_once: true + delegate_to: "{{ groups.masters[0] }}" diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml new file mode 100644 index 0000000..5644723 --- /dev/null +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -0,0 +1,54 @@ +--- +- name: Ensure OpenShift patch directory exists + file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root + +# No spaces in patch, otherwise escaping mess... +- name: Patch group range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Patch uid range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Restrict supplementalGroups + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_gid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"supplementalGroups":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Configure runAsUser + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_uid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"runAsUser":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml index 35323cb..5bc748c 100644 --- a/roles/ands_openshift/tasks/users_resources.yml +++ b/roles/ands_openshift/tasks/users_resources.yml @@ -2,7 +2,9 @@ - name: Configure cluster roles command: "oc adm policy add-cluster-role-to-user {{ item.key.split('/')[0] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" - when: "{{ item.key.split('/') | length == 1 }}" + when: key_len == "1" + vars: + key_len: "{{ item.key.split('/') | length }}" - name: Get project list command: "oc get projects -o json" @@ -20,7 +22,9 @@ - name: Configure per project roles command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" - when: "{{ item.key.split('/') | length == 2 }}" + when: key_len == "2" + vars: + key_len: "{{ item.key.split('/') | length }}" - name: Get user list command: "oc get users -o json" @@ -31,10 +35,12 @@ set_fact: removed_users="{{ results.stdout | from_json | json_query('items[*].metadata.name') | difference(ands_openshift_users.keys()) }}" when: (results | succeeded) -- name: Create missing projects +- name: Remove user authentication command: "oc delete identity htpasswd_auth:{{ item }}" with_items: "{{ removed_users | default([]) }}" -- name: Create missing projects +- name: Remove users command: "oc delete user {{ item }}" with_items: "{{ removed_users | default([]) }}" + + -- cgit v1.2.3