diff options
Diffstat (limited to 'roles/openshift_service_catalog')
3 files changed, 78 insertions, 0 deletions
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 2e0dcfd97..bcc7fb590 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -137,6 +137,12 @@ objects: - serviceclasses verbs: - create + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1f9ecc2b8..4d1a38e61 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -66,6 +66,52 @@ template_name: kube-system-service-catalog namespace: kube-system +- oc_obj: + name: edit + kind: clusterrole + state: list + register: edit_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/edit + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" + vars: + original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update edit role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +- oc_obj: + name: admin + kind: clusterrole + state: list + register: admin_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/admin + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" + vars: + original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update admin role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - shell: > oc get policybindings/kube-system:default -n kube-system || echo "not found" register: get_kube_system diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 new file mode 100644 index 000000000..69b062b3f --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -0,0 +1,26 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - instances + - bindings + verbs: + - create + - update + - delete + - get + - list + - watch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch |