Merge pull request #5609 from jarrpa/heketi-account-perms

Automatic merge from submit-queue.

GlusterFS: make ServiceAccounts privileged when either glusterfs or heketi is native

Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1486187

Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>

2 files changed, 11 insertions, 10 deletions

diff --git a/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml b/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
index 3f6dab78b..51724f979 100644
--- a/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
+++ b/roles/openshift_storage_glusterfs/tasks/glusterfs_common.yml
@@ -18,6 +18,17 @@
     node_selector: "{% if glusterfs_use_default_selector %}{{ omit }}{% endif %}"
   when: glusterfs_is_native or glusterfs_heketi_is_native or glusterfs_storageclass
 
+- name: Add namespace service accounts to privileged SCC
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ glusterfs_namespace }}:{{ item }}"
+    resource_kind: scc
+    resource_name: privileged
+    state: present
+  with_items:
+  - 'default'
+  - 'router'
+  when: glusterfs_is_native or glusterfs_heketi_is_native
+
 - name: Delete pre-existing heketi resources
   oc_obj:
     namespace: "{{ glusterfs_namespace }}"
diff --git a/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml b/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
index 8c3e31fc9..932d06038 100644
--- a/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
+++ b/roles/openshift_storage_glusterfs/tasks/glusterfs_deploy.yml
@@ -55,16 +55,6 @@
   - glusterfs_wipe
   - item.stdout_lines | count > 0
 
-- name: Add service accounts to privileged SCC
-  oc_adm_policy_user:
-    user: "system:serviceaccount:{{ glusterfs_namespace }}:{{ item }}"
-    resource_kind: scc
-    resource_name: privileged
-    state: present
-  with_items:
-  - 'default'
-  - 'router'
-
 - name: Label GlusterFS nodes
   oc_label:
     name: "{{ hostvars[item].openshift.node.nodename }}"