首页 发现 帮助
注册 登录
shixiong
/
okd
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 8a8b0117fc
分支列表 标签列表
okd
/
roles
/
openshift_serviceaccounts
/
tasks
/
main.yml

main.yml 2.5 KB
文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. - name: test if service accounts exists
    2. 

  2.   command: >
    3. 

  3.       {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
    4. 

  4.   with_items: openshift_serviceaccounts_names
    5. 

  5.   failed_when: false
    6. 

  6.   changed_when: false
    7. 

  7.   register: account_test
    8. 

  8. 

  9. - name: create the service account
    10. 

  10.   shell: >
    11. 

  11.        echo {{ lookup('template', '../templates/serviceaccount.j2')
    12. 

  12.                | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
    13. 

  13.   when: item.1.rc != 0
    14. 

  14.   with_together:
    15. 

  15.   - openshift_serviceaccounts_names
    16. 

  16.   - account_test.results
    17. 

  17. 

  18. - name: test if scc needs to be updated
    19. 

  19.   command: >
    20. 

  20.       {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
    21. 

  21.   changed_when: false
    22. 

  22.   failed_when: false
    23. 

  23.   register: scc_test
    24. 

  24.   with_items: openshift_serviceaccounts_sccs
    25. 

  25. 

  26. - name: Grant the user access to the privileged scc
    27. 

  27.   command: >
    28. 

  28.       {{ openshift.common.admin_binary }} policy add-scc-to-user
    29. 

  29.       privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
    30. 

  30.   when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
    31. 

  31.   with_nested:
    32. 

  32.   - openshift_serviceaccounts_names
    33. 

  33.   - scc_test.results
    34. 

  34. 

  35. ####
    36. 

  36. #
    37. 

  37. # Support for 3.0.z
    38. 

  38. #
    39. 

  39. ####
    40. 

  40. 

  41. - name: tmp dir for openshift
    42. 

  42.   file:
    43. 

  43.     path: /tmp/openshift
    44. 

  44.     state: directory
    45. 

  45.     owner: root
    46. 

  46.     mode: 700
    47. 

  47.   when: not openshift.common.version_gte_3_1_or_1_1
    48. 

  48. 

  49. - name: Create service account configs
    50. 

  50.   template:
    51. 

  51.     src: serviceaccount.j2
    52. 

  52.     dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
    53. 

  53.   with_items: openshift_serviceaccounts_names
    54. 

  54.   when: not openshift.common.version_gte_3_1_or_1_1
    55. 

  55. 

  56. - name: Get current security context constraints
    57. 

  57.   shell: >
    58. 

  58.     {{ openshift.common.client_binary }} get scc privileged -o yaml
    59. 

  59.     --output-version=v1 > /tmp/openshift/scc.yaml
    60. 

  60.   changed_when: false
    61. 

  61.   when: not openshift.common.version_gte_3_1_or_1_1
    62. 

  62. 

  63. - name: Add security context constraint for {{ item }}
    64. 

  64.   lineinfile:
    65. 

  65.     dest: /tmp/openshift/scc.yaml
    66. 

  66.     line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}"
    67. 

  67.     insertafter: "^users:$"
    68. 

  68.   with_items: openshift_serviceaccounts_names
    69. 

  69.   when: not openshift.common.version_gte_3_1_or_1_1
    70. 

  70. 

  71. - name: Apply new scc rules for service accounts
    72. 

  72.   command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
    73. 

  73.   when: not openshift.common.version_gte_3_1_or_1_1
    74.