blob: 56447237a20a8cf11a2de4b68d8cfd70250cb695 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
---
- name: Ensure OpenShift patch directory exists
file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ prj_item }}"
resource: "ns/{{ prj_item }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
loop_control:
loop_var: prj_item
- name: Patch uid range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ prj_item }}"
resource: "ns/{{ prj_item }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
loop_control:
loop_var: prj_item
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ prj_item }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_gid_mode | default({}) }}"
mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
loop_control:
loop_var: prj_item
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ prj_item }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_uid_mode | default({}) }}"
mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
loop_control:
loop_var: prj_item
|
