summaryrefslogtreecommitdiffstats
path: root/roles/ands_openshift
diff options
context:
space:
mode:
authorSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
committerSuren A. Chilingaryan <csa@suren.me>2018-03-01 21:15:50 +0100
commit69adb23c59e991ddcabf5cfce415fd8b638dbc1a (patch)
tree8693e708f751923f6f7f9dd48004303bebb4e126 /roles/ands_openshift
parent1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 (diff)
downloadands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.gz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.bz2
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.xz
ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.zip
Improve handling of filesystem permissions and other fixes
Diffstat (limited to 'roles/ands_openshift')
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml28
1 files changed, 13 insertions, 15 deletions
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
index 5b80f1e..fd72240 100644
--- a/roles/ands_openshift/tasks/security_resources.yml
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -1,7 +1,4 @@
---
-- name: Ensure OpenShift patch directory exists
- file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
-
# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
@@ -9,7 +6,6 @@
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
- patch_path: "{{ ands_openshift_patch_path }}"
with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"
- name: Patch uid range in project configuration
@@ -18,29 +14,31 @@
project: "{{ item.key }}"
resource: "ns/{{ item.key }}"
patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
- patch_path: "{{ ands_openshift_patch_path }}"
with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ item.key }}"
+ project: "default"
resource: "scc/restricted"
- modes: "{{ ands_openshift_gid_mode | default({}) }}"
- mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
+ mode: "{{ ands_openshift_groups_mode | default(false) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
- patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_dict: "{{ ands_openshift_projects | default({}) }}"
+
+- name: Restrict fsGroup
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "default"
+ resource: "scc/restricted"
+ mode: "{{ ands_openshift_gid_mode | default(false) }}"
+ patch: '{"fsGroup":{"type":"{{mode}}"}}'
+ when: mode != false
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ item.key }}"
+ project: "default"
resource: "scc/restricted"
- modes: "{{ ands_openshift_uid_mode | default({}) }}"
- mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
+ mode: "{{ ands_openshift_uid_mode | default(false) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
- patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_dict: "{{ ands_openshift_projects | default({}) }}"