summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/common/openshift-master/config.yml9
-rw-r--r--roles/openshift_serviceaccounts/tasks/main.yml26
-rw-r--r--roles/openshift_serviceaccounts/templates/serviceaccount.j24
3 files changed, 39 insertions, 0 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 4a4a69f50..64cf7a65b 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -236,3 +236,12 @@
tasks:
- file: name={{ g_master_mktemp.stdout }} state=absent
changed_when: False
+
+- name: Configure service accounts
+ hosts: oo_first_master
+
+ vars:
+ accounts: ["router", "registry"]
+
+ roles:
+ - openshift_serviceaccounts
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
new file mode 100644
index 000000000..9665d0a72
--- /dev/null
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: Create service account configs
+ template:
+ src: serviceaccount.j2
+ dest: "/tmp/{{ item }}-serviceaccount.yaml"
+ with_items: accounts
+
+- name: Create {{ item }} service account
+ command: >
+ {{ openshift.common.client_binary }} create -f "/tmp/{{ item }}-serviceaccount.yaml"
+ with_items: accounts
+ register: _sa_result
+ failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
+ changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+
+- name: Get current security context constraints
+ shell: "{{ openshift.common.client_binary }} get scc privileged -o yaml > /tmp/scc.yaml"
+
+- name: Add security context constraint for {{ item }}
+ lineinfile:
+ dest: /tmp/scc.yaml
+ line: "- system:serviceaccount:default:{{ item }}"
+ insertafter: "^users:$"
+ with_items: accounts
+
+- name: Apply new scc rules for service accounts
+ command: "{{ openshift.common.client_binary }} replace -f /tmp/scc.yaml"
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
new file mode 100644
index 000000000..931e249f9
--- /dev/null
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ item }}