2 files changed, 30 insertions, 0 deletions

diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
new file mode 100644
index 000000000..9665d0a72
--- /dev/null
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -0,0 +1,26 @@
+- name: Create service account configs
+  template:
+    src: serviceaccount.j2
+    dest: "/tmp/{{ item }}-serviceaccount.yaml"
+  with_items: accounts
+
+- name: Create {{ item }} service account
+  command: >
+    {{ openshift.common.client_binary }} create -f "/tmp/{{ item }}-serviceaccount.yaml"
+  with_items: accounts
+  register: _sa_result
+  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
+  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+
+- name: Get current security context constraints
+  shell: "{{ openshift.common.client_binary }} get scc privileged -o yaml > /tmp/scc.yaml"
+
+- name: Add security context constraint for {{ item }}
+  lineinfile:
+    dest: /tmp/scc.yaml
+    line: "- system:serviceaccount:default:{{ item }}"
+    insertafter: "^users:$"
+  with_items: accounts
+
+- name: Apply new scc rules for service accounts
+  command: "{{ openshift.common.client_binary }} replace -f /tmp/scc.yaml"
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
new file mode 100644
index 000000000..931e249f9
--- /dev/null
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ item }}