summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRyan Hallisey <rhallise@redhat.com>2017-07-11 13:36:02 -0400
committerRyan Hallisey <rhallise@redhat.com>2017-07-13 18:17:36 -0400
commit09aadeef84c1277fbbd4b114eb3270261456f5e3 (patch)
tree9c4f0e7b14f59a161bd4abeaebf245265477e8c9
parentac94a653f1f971aa84916224a831457dad86b0f6 (diff)
downloadopenshift-09aadeef84c1277fbbd4b114eb3270261456f5e3.tar.gz
openshift-09aadeef84c1277fbbd4b114eb3270261456f5e3.tar.bz2
openshift-09aadeef84c1277fbbd4b114eb3270261456f5e3.tar.xz
openshift-09aadeef84c1277fbbd4b114eb3270261456f5e3.zip
Add an SA policy to the ansible-service-broker
We are not adding a role to the service account after creation. The ansible-service-broker will require cluster-admin permissions because we do things like: creating service accounts, projects, and pods.
-rw-r--r--roles/ansible_service_broker/tasks/install.yml8
1 files changed, 8 insertions, 0 deletions
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 65dffc89b..58b3eb859 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -42,6 +42,14 @@
namespace: openshift-ansible-service-broker
state: present
+- name: Set SA cluster-role
+ oc_adm_policy_user:
+ state: present
+ namespace: "openshift-ansible-service-broker"
+ resource_kind: cluster-role
+ resource_name: cluster-admin
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
- name: create ansible-service-broker service
oc_service:
name: asb