diff options
| author | Brenton Leanhardt <bleanhar@redhat.com> | 2016-02-16 13:50:30 -0500 |
|---|---|---|
| committer | Brenton Leanhardt <bleanhar@redhat.com> | 2016-02-16 13:50:30 -0500 |
| commit | 14cfdf0e1f4e49ff1ed7ce216c2893e3f052d33c (patch) | |
| tree | 32f81b4cd5d9c68d50fe35cb8d20aba6db7d28bc /roles | |
| parent | cc5c39cac2f9514df96b1922ad1cfc954ae1c0b9 (diff) | |
| parent | 40ca512e39add508ee20c913efa71648fd5e2275 (diff) | |
| download | openshift-14cfdf0e1f4e49ff1ed7ce216c2893e3f052d33c.tar.gz openshift-14cfdf0e1f4e49ff1ed7ce216c2893e3f052d33c.tar.bz2 openshift-14cfdf0e1f4e49ff1ed7ce216c2893e3f052d33c.tar.xz openshift-14cfdf0e1f4e49ff1ed7ce216c2893e3f052d33c.zip | |
Merge pull request #1409 from brenton/bz1308411
Refactoring the add-scc-to-user logic
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml | 37 | ||||
| -rw-r--r-- | roles/openshift_serviceaccounts/tasks/main.yml | 39 |
2 files changed, 38 insertions, 38 deletions
diff --git a/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml new file mode 100644 index 000000000..1efab9466 --- /dev/null +++ b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml @@ -0,0 +1,37 @@ +#### +# +# OSE 3.0.z did not have 'oadm policy add-scc-to-user'. +# +#### + +- name: tmp dir for openshift + file: + path: /tmp/openshift + state: directory + owner: root + mode: 700 + +- name: Create service account configs + template: + src: serviceaccount.j2 + dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" + with_items: openshift_serviceaccounts_names + +- name: Get current security context constraints + shell: > + {{ openshift.common.client_binary }} get scc privileged -o yaml + --output-version=v1 > /tmp/openshift/scc.yaml + changed_when: false + +- name: Add security context constraint for {{ item }} + lineinfile: + dest: /tmp/openshift/scc.yaml + line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}" + insertafter: "^users:$" + when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" + with_nested: + - openshift_serviceaccounts_names + - scc_test.results + +- name: Apply new scc rules for service accounts + command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 89d9e3aa7..f34fa7b74 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -32,42 +32,5 @@ - openshift_serviceaccounts_names - scc_test.results -#### -# -# Support for 3.0.z -# -#### - -- name: tmp dir for openshift - file: - path: /tmp/openshift - state: directory - owner: root - mode: 700 - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Create service account configs - template: - src: serviceaccount.j2 - dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: openshift_serviceaccounts_names - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Get current security context constraints - shell: > - {{ openshift.common.client_binary }} get scc privileged -o yaml - --output-version=v1 > /tmp/openshift/scc.yaml - changed_when: false - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Add security context constraint for {{ item }} - lineinfile: - dest: /tmp/openshift/scc.yaml - line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}" - insertafter: "^users:$" - with_items: openshift_serviceaccounts_names - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Apply new scc rules for service accounts - command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" +- include: legacy_add_scc_to_user.yml when: not openshift.common.version_gte_3_1_or_1_1 |