diff options
| author | Suren A. Chilingaryan <csa@suren.me> | 2018-03-01 21:15:50 +0100 |
|---|---|---|
| committer | Suren A. Chilingaryan <csa@suren.me> | 2018-03-01 21:15:50 +0100 |
| commit | 69adb23c59e991ddcabf5cfce415fd8b638dbc1a (patch) | |
| tree | 8693e708f751923f6f7f9dd48004303bebb4e126 /roles/ands_openshift/tasks/security_resources.yml | |
| parent | 1f3e2a9f59e83dc3f0fcbecf096a7e7b40d36ed7 (diff) | |
| download | ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.gz ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.bz2 ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.tar.xz ands-69adb23c59e991ddcabf5cfce415fd8b638dbc1a.zip | |
Improve handling of filesystem permissions and other fixes
Diffstat (limited to 'roles/ands_openshift/tasks/security_resources.yml')
| -rw-r--r-- | roles/ands_openshift/tasks/security_resources.yml | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml index 5b80f1e..fd72240 100644 --- a/roles/ands_openshift/tasks/security_resources.yml +++ b/roles/ands_openshift/tasks/security_resources.yml @@ -1,7 +1,4 @@ --- -- name: Ensure OpenShift patch directory exists - file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root - # No spaces in patch, otherwise escaping mess... - name: Patch group range in project configuration include_role: name="openshift_resource" tasks_from="patch.yml" @@ -9,7 +6,6 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_gid_ranges | default({}) }}" - name: Patch uid range in project configuration @@ -18,29 +14,31 @@ project: "{{ item.key }}" resource: "ns/{{ item.key }}" patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}' - patch_path: "{{ ands_openshift_patch_path }}" with_dict: "{{ ands_openshift_uid_ranges | default({}) }}" - name: Restrict supplementalGroups include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_gid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_groups_mode | default(false) }}" patch: '{"supplementalGroups":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" + +- name: Restrict fsGroup + include_role: name="openshift_resource" tasks_from="patch.yml" + vars: + project: "default" + resource: "scc/restricted" + mode: "{{ ands_openshift_gid_mode | default(false) }}" + patch: '{"fsGroup":{"type":"{{mode}}"}}' + when: mode != false - name: Configure runAsUser include_role: name="openshift_resource" tasks_from="patch.yml" vars: - project: "{{ item.key }}" + project: "default" resource: "scc/restricted" - modes: "{{ ands_openshift_uid_mode | default({}) }}" - mode: "{{ modes[item.key] | default(modes['ands_default'] | default(false)) }}" + mode: "{{ ands_openshift_uid_mode | default(false) }}" patch: '{"runAsUser":{"type":"{{mode}}"}}' - patch_path: "{{ ands_openshift_patch_path }}" when: mode != false - with_dict: "{{ ands_openshift_projects | default({}) }}" |