From e9dd4ea3ca269bbfcb9fa52d04cc86f690b22b47 Mon Sep 17 00:00:00 2001 From: Brenton Leanhardt Date: Mon, 15 Feb 2016 16:36:25 -0500 Subject: Bug 1308411 - Fail to install OSE 3.0 for no add-scc-to-user command --- roles/openshift_serviceaccounts/tasks/main.yml | 42 +++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 5fe7d28f3..89d9e3aa7 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -27,7 +27,47 @@ command: > {{ openshift.common.admin_binary }} policy add-scc-to-user privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }} - when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" + when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}" with_nested: - openshift_serviceaccounts_names - scc_test.results + +#### +# +# Support for 3.0.z +# +#### + +- name: tmp dir for openshift + file: + path: /tmp/openshift + state: directory + owner: root + mode: 700 + when: not openshift.common.version_gte_3_1_or_1_1 + +- name: Create service account configs + template: + src: serviceaccount.j2 + dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" + with_items: openshift_serviceaccounts_names + when: not openshift.common.version_gte_3_1_or_1_1 + +- name: Get current security context constraints + shell: > + {{ openshift.common.client_binary }} get scc privileged -o yaml + --output-version=v1 > /tmp/openshift/scc.yaml + changed_when: false + when: not openshift.common.version_gte_3_1_or_1_1 + +- name: Add security context constraint for {{ item }} + lineinfile: + dest: /tmp/openshift/scc.yaml + line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}" + insertafter: "^users:$" + with_items: openshift_serviceaccounts_names + when: not openshift.common.version_gte_3_1_or_1_1 + +- name: Apply new scc rules for service accounts + command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" + when: not openshift.common.version_gte_3_1_or_1_1 -- cgit v1.2.3