okd/roles/openshift_serviceaccounts/tasks/main.yml

- name: Create service account configs
  template:
    src: serviceaccount.j2
    dest: "/tmp/{{ item }}-serviceaccount.yaml"
  with_items: accounts

- name: Create {{ item }} service account
  command: >
    {{ openshift.common.client_binary }} create -f "/tmp/{{ item }}-serviceaccount.yaml"
  with_items: accounts
  register: _sa_result
  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"

- name: Get current security context constraints
  shell: >
    {{ openshift.common.client_binary }} get scc privileged -o yaml
    --output-version=v1 > /tmp/scc.yaml

- name: Add security context constraint for {{ item }}
  lineinfile:
    dest: /tmp/scc.yaml
    line: "- system:serviceaccount:default:{{ item }}"
    insertafter: "^users:$"
  with_items: accounts

- name: Apply new scc rules for service accounts
  command: "{{ openshift.common.client_binary }} update -f /tmp/scc.yaml --api-version=v1"