From 4e6297c8d99b0ef38bdc3375b14107cf21754348 Mon Sep 17 00:00:00 2001 From: Brenton Leanhardt Date: Tue, 16 Feb 2016 10:14:34 -0500 Subject: Refactoring the add-scc-to-user logic --- .../tasks/legacy_add_scc_to_user.yml | 34 +++++++++++++++++++ roles/openshift_serviceaccounts/tasks/main.yml | 39 +--------------------- 2 files changed, 35 insertions(+), 38 deletions(-) create mode 100644 roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml (limited to 'roles/openshift_serviceaccounts') diff --git a/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml new file mode 100644 index 000000000..628df4540 --- /dev/null +++ b/roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml @@ -0,0 +1,34 @@ +#### +# +# OSE 3.0.z did not have 'oadm policy add-scc-to-user'. +# +#### + +- name: tmp dir for openshift + file: + path: /tmp/openshift + state: directory + owner: root + mode: 700 + +- name: Create service account configs + template: + src: serviceaccount.j2 + dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" + with_items: openshift_serviceaccounts_names + +- name: Get current security context constraints + shell: > + {{ openshift.common.client_binary }} get scc privileged -o yaml + --output-version=v1 > /tmp/openshift/scc.yaml + changed_when: false + +- name: Add security context constraint for {{ item }} + lineinfile: + dest: /tmp/openshift/scc.yaml + line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}" + insertafter: "^users:$" + with_items: openshift_serviceaccounts_names + +- name: Apply new scc rules for service accounts + command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index 89d9e3aa7..f34fa7b74 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -32,42 +32,5 @@ - openshift_serviceaccounts_names - scc_test.results -#### -# -# Support for 3.0.z -# -#### - -- name: tmp dir for openshift - file: - path: /tmp/openshift - state: directory - owner: root - mode: 700 - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Create service account configs - template: - src: serviceaccount.j2 - dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml" - with_items: openshift_serviceaccounts_names - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Get current security context constraints - shell: > - {{ openshift.common.client_binary }} get scc privileged -o yaml - --output-version=v1 > /tmp/openshift/scc.yaml - changed_when: false - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Add security context constraint for {{ item }} - lineinfile: - dest: /tmp/openshift/scc.yaml - line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}" - insertafter: "^users:$" - with_items: openshift_serviceaccounts_names - when: not openshift.common.version_gte_3_1_or_1_1 - -- name: Apply new scc rules for service accounts - command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1" +- include: legacy_add_scc_to_user.yml when: not openshift.common.version_gte_3_1_or_1_1 -- cgit v1.2.3