blob: b334563757b1d6cc3f3347491aa269616fbb3b17 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
---
# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"
- name: Patch uid range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "default"
resource: "securitycontextconstraints/restricted"
mode: "{{ ands_openshift_groups_mode | default(false) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
when: mode != false
- name: Restrict fsGroup
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "default"
resource: "securitycontextconstraints/restricted"
mode: "{{ ands_openshift_gid_mode | default(false) }}"
patch: '{"fsGroup":{"type":"{{mode}}"}}'
when: mode != false
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
project: "default"
resource: "securitycontextconstraints/restricted"
mode: "{{ ands_openshift_uid_mode | default(false) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
when: mode != false
|
