summaryrefslogtreecommitdiffstats
path: root/roles/ands_openshift/tasks
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-02-20 15:10:45 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-02-20 15:10:45 +0100
commite4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe (patch)
tree3a8a420d8d26e616491f31b322a006dd2b3e0e1c /roles/ands_openshift/tasks
parent96ced00e05b50f276841a9212ae89e018de4d92d (diff)
downloadands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.gz
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.bz2
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.tar.xz
ands-e4751f88e52aa8e89e4c94bc6fe4c3346eccf6fe.zip
Handling GlusterFS storage security in OpenShift containers
Diffstat (limited to 'roles/ands_openshift/tasks')
-rw-r--r--roles/ands_openshift/tasks/security.yml3
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml54
-rw-r--r--roles/ands_openshift/tasks/users_resources.yml14
3 files changed, 67 insertions, 4 deletions
diff --git a/roles/ands_openshift/tasks/security.yml b/roles/ands_openshift/tasks/security.yml
new file mode 100644
index 0000000..b1f017b
--- /dev/null
+++ b/roles/ands_openshift/tasks/security.yml
@@ -0,0 +1,3 @@
+- include_tasks: security_resources.yml
+ run_once: true
+ delegate_to: "{{ groups.masters[0] }}"
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
new file mode 100644
index 0000000..5644723
--- /dev/null
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure OpenShift patch directory exists
+ file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
+
+# No spaces in patch, otherwise escaping mess...
+- name: Patch group range in project configuration
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "ns/{{ prj_item }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Patch uid range in project configuration
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "ns/{{ prj_item }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Restrict supplementalGroups
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "scc/restricted"
+ modes: "{{ ands_openshift_gid_mode | default({}) }}"
+ mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ when: mode != false
+ with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Configure runAsUser
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "scc/restricted"
+ modes: "{{ ands_openshift_uid_mode | default({}) }}"
+ mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ patch: '{"runAsUser":{"type":"{{mode}}"}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ when: mode != false
+ with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml
index 35323cb..5bc748c 100644
--- a/roles/ands_openshift/tasks/users_resources.yml
+++ b/roles/ands_openshift/tasks/users_resources.yml
@@ -2,7 +2,9 @@
- name: Configure cluster roles
command: "oc adm policy add-cluster-role-to-user {{ item.key.split('/')[0] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
with_dict: "{{ ands_openshift_roles }}"
- when: "{{ item.key.split('/') | length == 1 }}"
+ when: key_len == "1"
+ vars:
+ key_len: "{{ item.key.split('/') | length }}"
- name: Get project list
command: "oc get projects -o json"
@@ -20,7 +22,9 @@
- name: Configure per project roles
command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
with_dict: "{{ ands_openshift_roles }}"
- when: "{{ item.key.split('/') | length == 2 }}"
+ when: key_len == "2"
+ vars:
+ key_len: "{{ item.key.split('/') | length }}"
- name: Get user list
command: "oc get users -o json"
@@ -31,10 +35,12 @@
set_fact: removed_users="{{ results.stdout | from_json | json_query('items[*].metadata.name') | difference(ands_openshift_users.keys()) }}"
when: (results | succeeded)
-- name: Create missing projects
+- name: Remove user authentication
command: "oc delete identity htpasswd_auth:{{ item }}"
with_items: "{{ removed_users | default([]) }}"
-- name: Create missing projects
+- name: Remove users
command: "oc delete user {{ item }}"
with_items: "{{ removed_users | default([]) }}"
+
+