Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #5938 from staebler/1506976-watch_serviceinstance_in_view_role

Add rules to the view ClusterRole for service catalog.
Scott Dodson 7 years ago
parent
6793bb84ac 7cfdaabc58
commit
ecc37050eb
3 changed files with 36 additions and 2 deletions
Split View Show Diff Stats
  1. 25 2
      roles/openshift_service_catalog/tasks/install.yml
  2. 0 0
      roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
  3. 11 0
      roles/openshift_service_catalog/templates/sc_view_role_patching.j2

+ 25 - 2
roles/openshift_service_catalog/tasks/install.yml
View File 

@@ -83,7 +83,7 @@
 
 # only do this if we don't already have the updated role info
 
 - name: Generate apply template for clusterrole/edit
 
   template:
 
-    src: sc_role_patching.j2
 
+    src: sc_admin_edit_role_patching.j2
 
     dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
 
   vars:
 
     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
 
@@ -106,7 +106,7 @@
 
 # only do this if we don't already have the updated role info
 
 - name: Generate apply template for clusterrole/admin
 
   template:
 
-    src: sc_role_patching.j2
 
+    src: sc_admin_edit_role_patching.j2
 
     dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
 
   vars:
 
     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
 
@@ -120,6 +120,29 @@
 
   when:
 
     - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 
+- oc_obj:
 
+    name: view
 
+    kind: clusterrole
 
+    state: list
 
+  register: view_yaml
 
+
 
+# only do this if we don't already have the updated role info
 
+- name: Generate apply template for clusterrole/view
 
+  template:
 
+    src: sc_view_role_patching.j2
 
+    dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
 
+  vars:
 
+    original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
 
+  when:
 
+    - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
 
+
 
+# only do this if we don't already have the updated role info
 
+- name: update view role for service catalog access
 
+  command: >
 
+    oc replace -f {{ mktemp.stdout }}/view_sc_patch.yml
 
+  when:
 
+    - not view_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
 
+
 
 - oc_adm_policy_user:
 
     namespace: kube-service-catalog
 
     resource_kind: scc

roles/openshift_service_catalog/templates/sc_role_patching.j2 → roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
View File


+ 11 - 0
roles/openshift_service_catalog/templates/sc_view_role_patching.j2
View File 

@@ -0,0 +1,11 @@
 
+{{ original_content }}
 
+- apiGroups:
 
+  - "servicecatalog.k8s.io"
 
+  attributeRestrictions: null
 
+  resources:
 
+  - serviceinstances
 
+  - servicebindings
 
+  verbs:
 
+  - get
 
+  - list
 
+  - watch