diff options
| author | Stefanie Forrester <dak1n1@users.noreply.github.com> | 2015-09-11 13:12:14 -0700 |
|---|---|---|
| committer | Stefanie Forrester <dak1n1@users.noreply.github.com> | 2015-09-11 13:12:14 -0700 |
| commit | ee97dd9be30d3d818cf4b8e86ace6e34ae5405ca (patch) | |
| tree | 7cf0e7db757d3f538b18b96db4486665c77df7c7 | |
| parent | da9326c388c4e6ea68aa9d0df348db237602cc51 (diff) | |
| parent | cdfd68f642c586d5d2bba7ff3c4721dc417717c1 (diff) | |
| download | openshift-ee97dd9be30d3d818cf4b8e86ace6e34ae5405ca.tar.gz openshift-ee97dd9be30d3d818cf4b8e86ace6e34ae5405ca.tar.bz2 openshift-ee97dd9be30d3d818cf4b8e86ace6e34ae5405ca.tar.xz openshift-ee97dd9be30d3d818cf4b8e86ace6e34ae5405ca.zip | |
Merge pull request #569 from dak1n1/service_accounts
Set up service accounts for router and registry
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 9 | ||||
| -rw-r--r-- | roles/openshift_serviceaccounts/tasks/main.yml | 26 | ||||
| -rw-r--r-- | roles/openshift_serviceaccounts/templates/serviceaccount.j2 | 4 |
3 files changed, 39 insertions, 0 deletions
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 4a4a69f50..64cf7a65b 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -236,3 +236,12 @@ tasks: - file: name={{ g_master_mktemp.stdout }} state=absent changed_when: False + +- name: Configure service accounts + hosts: oo_first_master + + vars: + accounts: ["router", "registry"] + + roles: + - openshift_serviceaccounts diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml new file mode 100644 index 000000000..9665d0a72 --- /dev/null +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -0,0 +1,26 @@ +- name: Create service account configs + template: + src: serviceaccount.j2 + dest: "/tmp/{{ item }}-serviceaccount.yaml" + with_items: accounts + +- name: Create {{ item }} service account + command: > + {{ openshift.common.client_binary }} create -f "/tmp/{{ item }}-serviceaccount.yaml" + with_items: accounts + register: _sa_result + failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0" + changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0" + +- name: Get current security context constraints + shell: "{{ openshift.common.client_binary }} get scc privileged -o yaml > /tmp/scc.yaml" + +- name: Add security context constraint for {{ item }} + lineinfile: + dest: /tmp/scc.yaml + line: "- system:serviceaccount:default:{{ item }}" + insertafter: "^users:$" + with_items: accounts + +- name: Apply new scc rules for service accounts + command: "{{ openshift.common.client_binary }} replace -f /tmp/scc.yaml" diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 new file mode 100644 index 000000000..931e249f9 --- /dev/null +++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2 @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ item }} |