diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-11-01 13:04:47 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-11-01 13:04:47 -0400 |
commit | ecc37050ebd06771349eae432747f64b04451bf5 (patch) | |
tree | 10667bf3342cc8f20fea614fe34fce4401993eca | |
parent | 6793bb84ac9d9f9ad7231d9188f886b1afc47754 (diff) | |
parent | 7cfdaabc5885551729a7b160d093ae6a9f254367 (diff) | |
download | openshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.gz openshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.bz2 openshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.xz openshift-ecc37050ebd06771349eae432747f64b04451bf5.zip |
Merge pull request #5938 from staebler/1506976-watch_serviceinstance_in_view_role
Add rules to the view ClusterRole for service catalog.
-rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 27 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 (renamed from roles/openshift_service_catalog/templates/sc_role_patching.j2) | 0 | ||||
-rw-r--r-- | roles/openshift_service_catalog/templates/sc_view_role_patching.j2 | 11 |
3 files changed, 36 insertions, 2 deletions
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index aa3ec5724..d17468b5c 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -83,7 +83,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/edit template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" @@ -106,7 +106,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/admin template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" @@ -120,6 +120,29 @@ when: - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +- oc_obj: + name: view + kind: clusterrole + state: list + register: view_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/view + template: + src: sc_view_role_patching.j2 + dest: "{{ mktemp.stdout }}/view_sc_patch.yml" + vars: + original_content: "{{ view_yaml.results.results[0] | to_yaml }}" + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update view role for service catalog access + command: > + oc replace -f {{ mktemp.stdout }}/view_sc_patch.yml + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + - oc_adm_policy_user: namespace: kube-service-catalog resource_kind: scc diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 index 4629d5bb3..4629d5bb3 100644 --- a/roles/openshift_service_catalog/templates/sc_role_patching.j2 +++ b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 new file mode 100644 index 000000000..838993854 --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 @@ -0,0 +1,11 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - get + - list + - watch |