summaryrefslogtreecommitdiffstats
path: root/roles/ands_openshift/tasks/security_resources.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ands_openshift/tasks/security_resources.yml')
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml36
1 files changed, 14 insertions, 22 deletions
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
index 5644723..5b80f1e 100644
--- a/roles/ands_openshift/tasks/security_resources.yml
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -6,49 +6,41 @@
- name: Patch group range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
- resource: "ns/{{ prj_item }}"
- patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+ project: "{{ item.key }}"
+ resource: "ns/{{ item.key }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
- with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"
- name: Patch uid range in project configuration
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
- resource: "ns/{{ prj_item }}"
- patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+ project: "{{ item.key }}"
+ resource: "ns/{{ item.key }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
patch_path: "{{ ands_openshift_patch_path }}"
- with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"
- name: Restrict supplementalGroups
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
+ project: "{{ item.key }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_gid_mode | default({}) }}"
- mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_projects | default({}) }}"
- name: Configure runAsUser
include_role: name="openshift_resource" tasks_from="patch.yml"
vars:
- project: "{{ prj_item }}"
+ project: "{{ item.key }}"
resource: "scc/restricted"
modes: "{{ ands_openshift_uid_mode | default({}) }}"
- mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}"
patch: '{"runAsUser":{"type":"{{mode}}"}}'
patch_path: "{{ ands_openshift_patch_path }}"
when: mode != false
- with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
- loop_control:
- loop_var: prj_item
+ with_dict: "{{ ands_openshift_projects | default({}) }}"