From 69adb23c59e991ddcabf5cfce415fd8b638dbc1a Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Thu, 1 Mar 2018 21:15:50 +0100 Subject: Improve handling of filesystem permissions and other fixes --- roles/ands_kaas/tasks/do_project.yml | 2 +- roles/ands_kaas/tasks/file.yml | 8 +++---- roles/ands_kaas/tasks/project.yml | 7 ++++-- roles/ands_kaas/tasks/sync.yml | 2 +- roles/ands_kaas/tasks/templates.yml | 2 +- roles/ands_kaas/tasks/volume.yml | 2 +- roles/ands_kaas/templates/00-gfs-volumes.yml.j2 | 13 +++++++---- roles/ands_kaas/templates/50-kaas-pods.yml.j2 | 17 +++++--------- roles/ands_openshift/tasks/security_resources.yml | 28 +++++++++++------------ roles/openshift_resource/tasks/patch.yml | 10 ++++---- roles/openshift_resource/tasks/resource.yml | 6 ++--- roles/openshift_resource/tasks/template.yml | 8 +++---- 12 files changed, 53 insertions(+), 52 deletions(-) (limited to 'roles') diff --git a/roles/ands_kaas/tasks/do_project.yml b/roles/ands_kaas/tasks/do_project.yml index 4fac6c6..5cafe25 100644 --- a/roles/ands_kaas/tasks/do_project.yml +++ b/roles/ands_kaas/tasks/do_project.yml @@ -43,7 +43,7 @@ include_tasks: keys.yml # delegate_to: "{{ groups.masters[0] }}" run_once: true - with_dict: "{{ kaas_project_config.pods | default({}) }}" + with_dict: "{{ kaas_project_pods }}" loop_control: loop_var: pod diff --git a/roles/ands_kaas/tasks/file.yml b/roles/ands_kaas/tasks/file.yml index a839473..488823b 100644 --- a/roles/ands_kaas/tasks/file.yml +++ b/roles/ands_kaas/tasks/file.yml @@ -3,15 +3,15 @@ set_fact: group="{{ file.group | default(kaas_project_config.file_group | default(ands_default_file_group)) }}" - name : Resolve project groups - set_fact: group="{{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}" - when: group in ( kaas_project_config.gids | default(kaas_openshift_gids) ) + set_fact: group="{{ kaas_project_gids[group].id }}" + when: group in kaas_project_gids - name: Set owner set_fact: owner="{{ file.owner | default(kaas_project_config.file_owner | default(ands_default_file_owner)) }}" - name : Resolve project uids - set_fact: owner="{{ (kaas_project_config.uids | default(kaas_openshift_uids) )[owner].id }}" - when: owner in ( kaas_project_config.uids | default(kaas_openshift_uids) ) + set_fact: owner="{{ kaas_project_uids[owner].id }}" + when: owner in kaas_project_uids - name: "Setting up files in {{ path }}" file: diff --git a/roles/ands_kaas/tasks/project.yml b/roles/ands_kaas/tasks/project.yml index f7eb1df..b8574cf 100644 --- a/roles/ands_kaas/tasks/project.yml +++ b/roles/ands_kaas/tasks/project.yml @@ -28,5 +28,8 @@ - include_tasks: do_project.yml vars: var_name: "var_{{kaas_project}}_config" - kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}" - kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}" \ No newline at end of file + kaas_project_config: "{{ hostvars[inventory_hostname][var_name] }}" + kaas_project_volumes: "{{ kaas_project_config.volumes | default(kaas_project_config.extra_volumes | default({}) | combine(kaas_openshift_volumes)) }}" + kaas_project_pods: "{{ kaas_project_config.pods | default({}) }}" + kaas_project_gids: "{{ kaas_project_config.gids | default(kaas_openshift_gids) }}" + kaas_project_uids: "{{ kaas_project_config.uids | default(kaas_openshift_uids) }}" diff --git a/roles/ands_kaas/tasks/sync.yml b/roles/ands_kaas/tasks/sync.yml index a4febe7..8caefe9 100644 --- a/roles/ands_kaas/tasks/sync.yml +++ b/roles/ands_kaas/tasks/sync.yml @@ -11,7 +11,7 @@ - name: "Ensure the data is writeable by project pods" vars: grp: "{{ kaas_project_config.sync_set_gid }}" - gid: "{{ ((kaas_project_config.gids | default(kaas_openshift_gids))[grp] is defined) | ternary((kaas_project_config.gids | default(kaas_openshift_gids))[grp].id, grp) }}" + gid: "{{ (kaas_project_gids[grp] is defined) | ternary(kaas_project_gids[grp].id, grp) }}" file: path: "{{ remote_path }}" state: "directory" diff --git a/roles/ands_kaas/tasks/templates.yml b/roles/ands_kaas/tasks/templates.yml index 2de4fad..9fc378f 100644 --- a/roles/ands_kaas/tasks/templates.yml +++ b/roles/ands_kaas/tasks/templates.yml @@ -4,7 +4,7 @@ command: "echo {{ item | quote }}" register: results changed_when: false - when: (kaas_project_config.pods | default([]) | length > 0) or not (item | regex_search('kaas-pods')) + when: (kaas_project_pods | length > 0) or not (item | regex_search('kaas-pods')) with_fileglob: - "{{ role_path }}/templates/{{ kaas_template_glob | default('*') }}.j2" - "{{ kaas_project_path }}/templates/{{ kaas_template_glob | default('*') }}.j2" diff --git a/roles/ands_kaas/tasks/volume.yml b/roles/ands_kaas/tasks/volume.yml index ff51fb0..783654a 100644 --- a/roles/ands_kaas/tasks/volume.yml +++ b/roles/ands_kaas/tasks/volume.yml @@ -16,7 +16,7 @@ path: "{{ path }}" state: "directory" recurse: "no" - mode: "{{ volume.mode | default(0775) }}" + mode: "{{ volume.mode | default(02775) }}" owner: "{{ volume.owner | default(kaas_project_config.file_owner) | default(kaas_default_file_owner) }}" group: "{{ volume.group | default(kaas_project_config.file_group) | default(default_group) }}" register: chmod diff --git a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 index c9341ed..a69942d 100644 --- a/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 +++ b/roles/ands_kaas/templates/00-gfs-volumes.yml.j2 @@ -2,18 +2,23 @@ apiVersion: v1 kind: Template metadata: - name: + name: {{ kaas_project }}-gfs-volumes annotations: - descriptions: "KATRIN Volumes" + descriptions: "{{ kaas_project }} glusterfs volumes" objects: {% for name, vol in kaas_project_volumes.iteritems() %} {% set oc_name = vol.name | default(name) | regex_replace('_','-') %} {% set cfgpath = vol.path | default("") %} {% set path = cfgpath if cfgpath[:1] == "/" else "/" + kaas_project + "/" + cfgpath %} +{% if oc_name | regex_search("^" + kaas_project) %} +{% set pvname = oc_name %} +{% else %} +{% set pvname = (kaas_project + "-" + oc_name) | regex_replace('_','-') %} +{% endif %} - apiVersion: v1 kind: PersistentVolume metadata: - name: {{ oc_name }} + name: {{ pvname }} spec: persistentVolumeReclaimPolicy: Retain glusterfs: @@ -32,7 +37,7 @@ objects: metadata: name: {{ oc_name }} spec: - volumeName: {{ oc_name }} + volumeName: {{ pvname }} accessModes: - {{ vol.access | default('ReadWriteMany') }} resources: diff --git a/roles/ands_kaas/templates/50-kaas-pods.yml.j2 b/roles/ands_kaas/templates/50-kaas-pods.yml.j2 index 2ed7462..216dc01 100644 --- a/roles/ands_kaas/templates/50-kaas-pods.yml.j2 +++ b/roles/ands_kaas/templates/50-kaas-pods.yml.j2 @@ -7,7 +7,7 @@ metadata: annotations: descriptions: {{ kaas_project_config.description | default(kaas_project ~ "auto-generated pod template") }} objects: -{% for name, pod in (kaas_project_config.pods | default({})).iteritems() %} +{% for name, pod in kaas_project_pods.iteritems() %} {% set pubkey = "kaas_" ~ name ~ "_pubkey" %} {% set privkey = "kaas_" ~ name ~ "_privkey" %} {% set cakey = "kaas_" ~ name ~ "_ca" %} @@ -104,20 +104,15 @@ objects: {% if (pod.groups is defined) or (pod.run_as is defined) %} securityContext: {% if (pod.run_as is defined) %} - {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %} - runAsUser: {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }} - {% else %} - runAsUser: {{ pod.run_as }} - {% endif %} + runAsUser: {{ (kaas_project_uids[pod.run_as] is defined) | ternary(kaas_project_uids[pod.run_as].id, pod.run_as) }} {% endif %} {% if (pod.groups is defined) %} + {% if (ands_openshift_gid_mode | default('')) == "RunAsAny" %} + fsGroup: {{ (kaas_project_gids[pod.groups[0]] is defined) | ternary(kaas_project_gids[pod.groups[0]].id, pod.groups[0]) }} + {% endif %} supplementalGroups: {% for group in pod.groups %} - {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %} - - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }} - {% else %} - - {{ group }} - {% endif %} + - {{ (kaas_project_gids[group] is defined) | ternary(kaas_project_gids[group].id, group) }} {% endfor %} {% endif %} {% endif %} diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml index 5b80f1e..fd72240 100644 --- a/roles/ands_openshift/tasks/security_resources.yml +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -1,7 +1,4 @@ --- -- name: Ensure OpenShift patch directory exists - file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root - # No spaces in patch, otherwise escaping mess... - name: Patch group range in project configuration include_role: name="openshift_resource" tasks_from="patch.yml" @@ -9,7 +6,6 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_gid_ranges | default({}) }}" - name: Patch uid range in project configuration @@ -18,29 +14,31 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_uid_ranges | default({}) }}" - name: Restrict supplementalGroups include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_gid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_groups_mode | default(false) }}" patch: '{"supplementalGroups":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" + +- name: Restrict fsGroup + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "default" + resource: "scc/restricted" + mode: "{{ ands_openshift_gid_mode | default(false) }}" + patch: '{"fsGroup":{"type":"{{mode}}"}}' + when: mode != false - name: Configure runAsUser include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_uid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_uid_mode | default(false) }}" patch: '{"runAsUser":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" diff --git a/roles/openshift_resource/tasks/patch.yml b/roles/openshift_resource/tasks/patch.yml index e2bbcfa..501f692 100644 --- a/roles/openshift_resource/tasks/patch.yml +++ b/roles/openshift_resource/tasks/patch.yml @@ -1,10 +1,10 @@ --- -- name: Lookup the specified resource +- name: "Lookup {{resource}} in {{project}}" command: "oc get -n '{{project}}' '{{resource}}' -o json" register: orig_result changed_when: 0 -- name: Lookup API version of the specified resource +- name: "Lookup API version of {{resource}} in {{project}}" command: "oc get -n '{{project}}' '{{resource}}' --template {{'{{' + '.apiVersion' + '}}'}}" register: api_version changed_when: 0 @@ -13,14 +13,14 @@ - name: Escaping patch set_fact: xpatch='{{patch | to_json | regex_replace(" ","") | regex_replace("^", " ")}}' -- name: Generate dummy patch {{resource}} in {{project}} +- name: "Generate dummy patch for {{resource}} in {{project}}" command: "oc patch -n '{{project}}' --patch ' {\"apiVersion\": \"{{api_version.stdout}}\"}' --local=true -f - -o json" args: stdin: " {{ orig_result.stdout_lines | join('') }}" register: dummy_result changed_when: 0 -- name: Generate test patch {{resource}} in {{project}} +- name: "Generate test patch {{resource}} in {{project}}" command: "oc patch -n '{{project}}' --patch '{{xpatch}}' --local=true -f - -o json" args: stdin: " {{ orig_result.stdout_lines | join('') }}" @@ -33,7 +33,7 @@ #- debug: msg="{{ patch_result.stdout }}" # when: dummy_result.stdout != patch_result.stdout -- name: Patch {{resource}} in {{project}} +- name: "Patch {{resource}} in {{project}}" command: "oc patch -n '{{project}}' '{{resource}}' --patch '{{xpatch}}'" register: result changed_when: (result | succeeded) diff --git a/roles/openshift_resource/tasks/resource.yml b/roles/openshift_resource/tasks/resource.yml index 4e6e7ac..87af5c9 100644 --- a/roles/openshift_resource/tasks/resource.yml +++ b/roles/openshift_resource/tasks/resource.yml @@ -3,20 +3,20 @@ - name: Find out which resources we are going to configure set_fact: rkind="{{ tmpl.kind }}" rname="{{ tmpl.metadata.name }}" - - name: "Lookup the specified resource {{rkind}}/{{rname}}" + - name: "Lookup the specified resource {{rkind}}/{{rname}} in {{project}}" command: "oc get -n {{project}} {{rkind}}/{{rname}}" register: find_result changed_when: false failed_when: false - - name: "Detroy existing resources {{rkind}}/{{rname}}" + - name: "Detroy existing resources {{rkind}}/{{rname}} in {{project}}" command: "oc delete -n {{project}} {{rkind}}/{{rname}}" register: rm_result failed_when: false changed_when: (rm_result | succeeded) when: (recreate|default(false)) - - name: "Create resources defined in {{ template }}" + - name: "Populate resources defined in {{ template }} to {{project}}" command: "oc create -n {{project}} -f '{{ template_path }}/{{ template }}' {{ create_args | default('') }}" when: (recreate|default(false)) or (find_result.rc != 0) run_once: true diff --git a/roles/openshift_resource/tasks/template.yml b/roles/openshift_resource/tasks/template.yml index 6c9340b..7e74de4 100644 --- a/roles/openshift_resource/tasks/template.yml +++ b/roles/openshift_resource/tasks/template.yml @@ -5,7 +5,7 @@ vars: query: "objects[*].{kind: kind, name: metadata.name}" - - name: "{{ template }}: Lookup the specified resource" + - name: "{{ template }}: Lookup the specified resource in {{project}}" command: "oc get -n {{project}} {{item.kind}}/{{item.name}}" register: results failed_when: false @@ -13,13 +13,13 @@ with_items: "{{ resources | default([]) }}" # when: not (recreate|default(false)) - - name: "{{ template }}: Detroy existing resources" + - name: "{{ template }}: Detroy existing resources in {{project}}" command: "oc delete -n {{project}} {{resources[item|int].kind}}/{{resources[item|int].name}}" failed_when: false with_sequence: start=0 count="{{resources | default([]) | length}}" when: ((recreate|default(false)) or (results | changed)) and (results.results[item|int].rc == 0) - - name: "{{ template }}: Create resources defined" - shell: "oc process -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}" + - name: "{{ template }}: Populate resources to {{project}}" + shell: "oc process -n {{project}} -f '{{ template_path }}/{{template}}' {{ template_args | default('') }} | oc create -n {{project}} -f - {{ create_args | default('') }}" when: (recreate|default(false)) or (results | changed) run_once: true -- cgit v1.2.3