From 7cfdaabc5885551729a7b160d093ae6a9f254367 Mon Sep 17 00:00:00 2001 From: staebler Date: Mon, 30 Oct 2017 16:04:06 -0400 Subject: Add rules to the view ClusterRole for service catalog. --- roles/openshift_service_catalog/tasks/install.yml | 27 ++++++++++++++++++++-- .../templates/sc_admin_edit_role_patching.j2 | 26 +++++++++++++++++++++ .../templates/sc_role_patching.j2 | 26 --------------------- .../templates/sc_view_role_patching.j2 | 11 +++++++++ 4 files changed, 62 insertions(+), 28 deletions(-) create mode 100644 roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 delete mode 100644 roles/openshift_service_catalog/templates/sc_role_patching.j2 create mode 100644 roles/openshift_service_catalog/templates/sc_view_role_patching.j2 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index aa3ec5724..d17468b5c 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -83,7 +83,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/edit template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" @@ -106,7 +106,7 @@ # only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/admin template: - src: sc_role_patching.j2 + src: sc_admin_edit_role_patching.j2 dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" @@ -120,6 +120,29 @@ when: - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +- oc_obj: + name: view + kind: clusterrole + state: list + register: view_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/view + template: + src: sc_view_role_patching.j2 + dest: "{{ mktemp.stdout }}/view_sc_patch.yml" + vars: + original_content: "{{ view_yaml.results.results[0] | to_yaml }}" + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update view role for service catalog access + command: > + oc replace -f {{ mktemp.stdout }}/view_sc_patch.yml + when: + - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch']) + - oc_adm_policy_user: namespace: kube-service-catalog resource_kind: scc diff --git a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 new file mode 100644 index 000000000..4629d5bb3 --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 @@ -0,0 +1,26 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - create + - update + - delete + - get + - list + - watch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 deleted file mode 100644 index 4629d5bb3..000000000 --- a/roles/openshift_service_catalog/templates/sc_role_patching.j2 +++ /dev/null @@ -1,26 +0,0 @@ -{{ original_content }} -- apiGroups: - - "servicecatalog.k8s.io" - attributeRestrictions: null - resources: - - serviceinstances - - servicebindings - verbs: - - create - - update - - delete - - get - - list - - watch -- apiGroups: - - "settings.k8s.io" - attributeRestrictions: null - resources: - - podpresets - verbs: - - create - - update - - delete - - get - - list - - watch diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 new file mode 100644 index 000000000..838993854 --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 @@ -0,0 +1,11 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - serviceinstances + - servicebindings + verbs: + - get + - list + - watch -- cgit v1.2.3