diff options
| -rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 34 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/templates/sc_role_patching.j2 | 26 | 
2 files changed, 60 insertions, 0 deletions
| diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1f9ecc2b8..de7511f71 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -66,6 +66,40 @@      template_name: kube-system-service-catalog      namespace: kube-system +- oc_obj: +    name: edit +    kind: clusterrole +    state: list +  register: edit_yaml + +- name: Generate apply template for clusterrole/edit +  template: +    src: sc_role_patching.j2 +    dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" +  vars: +    original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + +- name: update edit role for service catalog and pod preset access +  command: > +    oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml + +- oc_obj: +    name: admin +    kind: clusterrole +    state: list +  register: admin_yaml + +- name: Generate apply template for clusterrole/admin +  template: +    src: sc_role_patching.j2 +    dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" +  vars: +    original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + +- name: update admin role for service catalog and pod preset access +  command: > +    oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml +  - shell: >      oc get policybindings/kube-system:default -n kube-system || echo "not found"    register: get_kube_system diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 new file mode 100644 index 000000000..69b062b3f --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -0,0 +1,26 @@ +{{ original_content }} +- apiGroups: +  - "servicecatalog.k8s.io" +  attributeRestrictions: null +  resources: +  - instances +  - bindings +  verbs: +  - create +  - update +  - delete +  - get +  - list +  - watch +- apiGroups: +  - "settings.k8s.io" +  attributeRestrictions: null +  resources: +  - podpresets +  verbs: +  - create +  - update +  - delete +  - get +  - list +  - watch | 
