From 09aadeef84c1277fbbd4b114eb3270261456f5e3 Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Tue, 11 Jul 2017 13:36:02 -0400 Subject: Add an SA policy to the ansible-service-broker We are not adding a role to the service account after creation. The ansible-service-broker will require cluster-admin permissions because we do things like: creating service accounts, projects, and pods. --- roles/ansible_service_broker/tasks/install.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 65dffc89b..58b3eb859 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -42,6 +42,14 @@ namespace: openshift-ansible-service-broker state: present +- name: Set SA cluster-role + oc_adm_policy_user: + state: present + namespace: "openshift-ansible-service-broker" + resource_kind: cluster-role + resource_name: cluster-admin + user: "system:serviceaccount:openshift-ansible-service-broker:asb" + - name: create ansible-service-broker service oc_service: name: asb -- cgit v1.2.3 From e38a02dd29ef7b0e395208dca10077bdc6600ebf Mon Sep 17 00:00:00 2001 From: Ryan Hallisey Date: Tue, 18 Jul 2017 10:14:28 -0400 Subject: Changing cluster role to admin --- roles/ansible_service_broker/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 58b3eb859..0e25ba5e1 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -47,7 +47,7 @@ state: present namespace: "openshift-ansible-service-broker" resource_kind: cluster-role - resource_name: cluster-admin + resource_name: admin user: "system:serviceaccount:openshift-ansible-service-broker:asb" - name: create ansible-service-broker service -- cgit v1.2.3