summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason DeTiberus <jdetiber@redhat.com>2016-02-03 16:27:30 -0500
committerJason DeTiberus <jdetiber@redhat.com>2016-02-09 15:51:35 -0500
commitd30acfb23637525cf79cd05c94d0d3c900cc4b88 (patch)
tree8b92294835b3c945e246fa09cbb70b0a50d7b07a
parent34455e0f4f2d4b6ea0b21703f711448e947bf0c7 (diff)
downloadopenshift-d30acfb23637525cf79cd05c94d0d3c900cc4b88.tar.gz
openshift-d30acfb23637525cf79cd05c94d0d3c900cc4b88.tar.bz2
openshift-d30acfb23637525cf79cd05c94d0d3c900cc4b88.tar.xz
openshift-d30acfb23637525cf79cd05c94d0d3c900cc4b88.zip
openshift_serviceaccounts updates
- make service account creation more flexible - create service accounts near where they are consumed
-rw-r--r--playbooks/common/openshift-master/config.yml25
-rw-r--r--roles/openshift_serviceaccounts/meta/main.yml15
-rw-r--r--roles/openshift_serviceaccounts/tasks/main.yml59
-rw-r--r--roles/openshift_serviceaccounts/templates/serviceaccount.j22
4 files changed, 60 insertions, 41 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 648a63150..a4da68573 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -405,19 +405,11 @@
- file: name={{ g_master_mktemp.stdout }} state=absent
changed_when: False
-- name: Configure service accounts
- hosts: oo_first_master
- vars:
- roles:
- - openshift_serviceaccounts
-
-- name: Create persistent volumes and services
+- name: Create persistent volumes
hosts: oo_first_master
vars:
persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
- attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
- deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
pre_tasks:
- set_fact:
nfs_host: "{{ groups.oo_nfs_to_config.0 }}"
@@ -426,6 +418,21 @@
roles:
- role: openshift_persistent_volumes
when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0
+
+- name: Create hosted infrastructure services
+ hosts: oo_first_master
+ vars:
+ accounts: ["router", "registry"]
+ attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
+ deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
+ roles:
+ - role: openshift_serviceaccounts
+ openshift_serviceaccounts_names:
+ - router
+ - registry
+ openshift_serviceaccounts_namespace: default
+ openshift_serviceaccounts_sccs:
+ - privileged
- role: openshift_router
when: deploy_infra | bool
- role: openshift_registry
diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml
new file mode 100644
index 000000000..a2c9fee70
--- /dev/null
+++ b/roles/openshift_serviceaccounts/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ author: OpenShift Operations
+ description: OpenShift Service Accounts
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 1.9
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index 4c7faa6fe..5fe7d28f3 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -1,36 +1,33 @@
-- name: tmp dir for openshift
- file:
- path: /tmp/openshift
- state: directory
- owner: root
- mode: 700
-
-- name: Create service account configs
- template:
- src: serviceaccount.j2
- dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
- with_items: accounts
-
-- name: Create {{ item }} service account
+- name: test if service accounts exists
command: >
- {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
- with_items: accounts
- register: _sa_result
- failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
- changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+ {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
+ with_items: openshift_serviceaccounts_names
+ failed_when: false
+ changed_when: false
+ register: account_test
-- name: Get current security context constraints
+- name: create the service account
shell: >
- {{ openshift.common.client_binary }} get scc privileged -o yaml
- --output-version=v1 > /tmp/openshift/scc.yaml
- changed_when: false
+ echo {{ lookup('template', '../templates/serviceaccount.j2')
+ | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }} create -f -
+ when: item.1.rc != 0
+ with_together:
+ - openshift_serviceaccounts_names
+ - account_test.results
-- name: Add security context constraint for {{ item }}
- lineinfile:
- dest: /tmp/openshift/scc.yaml
- line: "- system:serviceaccount:default:{{ item }}"
- insertafter: "^users:$"
- with_items: accounts
+- name: test if scc needs to be updated
+ command: >
+ {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
+ changed_when: false
+ failed_when: false
+ register: scc_test
+ with_items: openshift_serviceaccounts_sccs
-- name: Apply new scc rules for service accounts
- command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- name: Grant the user access to the privileged scc
+ command: >
+ {{ openshift.common.admin_binary }} policy add-scc-to-user
+ privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+ when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+ with_nested:
+ - openshift_serviceaccounts_names
+ - scc_test.results
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
index 931e249f9..c5f12421f 100644
--- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -1,4 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ item }}
+ name: {{ item.0 }}