summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-11-01 13:04:47 -0400
committerGitHub <noreply@github.com>2017-11-01 13:04:47 -0400
commitecc37050ebd06771349eae432747f64b04451bf5 (patch)
tree10667bf3342cc8f20fea614fe34fce4401993eca
parent6793bb84ac9d9f9ad7231d9188f886b1afc47754 (diff)
parent7cfdaabc5885551729a7b160d093ae6a9f254367 (diff)
downloadopenshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.gz
openshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.bz2
openshift-ecc37050ebd06771349eae432747f64b04451bf5.tar.xz
openshift-ecc37050ebd06771349eae432747f64b04451bf5.zip
Merge pull request #5938 from staebler/1506976-watch_serviceinstance_in_view_role
Add rules to the view ClusterRole for service catalog.
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml27
-rw-r--r--roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 (renamed from roles/openshift_service_catalog/templates/sc_role_patching.j2)0
-rw-r--r--roles/openshift_service_catalog/templates/sc_view_role_patching.j211
3 files changed, 36 insertions, 2 deletions
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index aa3ec5724..d17468b5c 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -83,7 +83,7 @@
# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/edit
template:
- src: sc_role_patching.j2
+ src: sc_admin_edit_role_patching.j2
dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
vars:
original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
@@ -106,7 +106,7 @@
# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/admin
template:
- src: sc_role_patching.j2
+ src: sc_admin_edit_role_patching.j2
dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
vars:
original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
@@ -120,6 +120,29 @@
when:
- not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+- oc_obj:
+ name: view
+ kind: clusterrole
+ state: list
+ register: view_yaml
+
+# only do this if we don't already have the updated role info
+- name: Generate apply template for clusterrole/view
+ template:
+ src: sc_view_role_patching.j2
+ dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
+ vars:
+ original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
+ when:
+ - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
+
+# only do this if we don't already have the updated role info
+- name: update view role for service catalog access
+ command: >
+ oc replace -f {{ mktemp.stdout }}/view_sc_patch.yml
+ when:
+ - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
+
- oc_adm_policy_user:
namespace: kube-service-catalog
resource_kind: scc
diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
index 4629d5bb3..4629d5bb3 100644
--- a/roles/openshift_service_catalog/templates/sc_role_patching.j2
+++ b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
new file mode 100644
index 000000000..838993854
--- /dev/null
+++ b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
@@ -0,0 +1,11 @@
+{{ original_content }}
+- apiGroups:
+ - "servicecatalog.k8s.io"
+ attributeRestrictions: null
+ resources:
+ - serviceinstances
+ - servicebindings
+ verbs:
+ - get
+ - list
+ - watch