diff options
Diffstat (limited to 'roles/ands_openshift/tasks/security_resources.yml')
| -rw-r--r-- | roles/ands_openshift/tasks/security_resources.yml | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml new file mode 100644 index 0000000..5644723 --- /dev/null +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -0,0 +1,54 @@ +--- +- name: Ensure OpenShift patch directory exists + file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root + +# No spaces in patch, otherwise escaping mess... +- name: Patch group range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Patch uid range in project configuration + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "ns/{{ prj_item }}" + patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}' + patch_path: "{{ ands_openshift_patch_path }}" + with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Restrict supplementalGroups + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_gid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"supplementalGroups":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item + +- name: Configure runAsUser + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "{{ prj_item }}" + resource: "scc/restricted" + modes: "{{ ands_openshift_uid_mode | default({}) }}" + mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}" + patch: '{"runAsUser":{"type":"{{mode}}"}}' + patch_path: "{{ ands_openshift_patch_path }}" + when: mode != false + with_items: "{{ (ands_openshift_projects | default({})).keys() }}" + loop_control: + loop_var: prj_item |