diff options
Diffstat (limited to 'roles/openshift_logging/tasks/install_fluentd.yaml')
-rw-r--r-- | roles/openshift_logging/tasks/install_fluentd.yaml | 49 |
1 files changed, 27 insertions, 22 deletions
diff --git a/roles/openshift_logging/tasks/install_fluentd.yaml b/roles/openshift_logging/tasks/install_fluentd.yaml index 6f93081d7..4c510c6e7 100644 --- a/roles/openshift_logging/tasks/install_fluentd.yaml +++ b/roles/openshift_logging/tasks/install_fluentd.yaml @@ -1,22 +1,8 @@ --- -- command: > - echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }}" - register: fluentd_ops_host +- set_fact: fluentd_ops_host={{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_host, openshift_logging_es_host) }} check_mode: no -- command: > - echo "{{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }}" - register: fluentd_ops_port - check_mode: no - -- command: > - echo "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" - register: openshift_logging_fluentd_nodeselector_key - check_mode: no - -- command: > - echo "{{openshift_logging_fluentd_nodeselector.values()[0]}}" - register: openshift_logging_fluentd_nodeselector_value +- set_fact: fluentd_ops_port={{ (openshift_logging_use_ops) | ternary(openshift_logging_es_ops_port, openshift_logging_es_port) }} check_mode: no - name: Generating Fluentd daemonset @@ -26,24 +12,43 @@ daemonset_component: fluentd daemonset_container_name: fluentd-elasticsearch daemonset_serviceAccount: aggregated-logging-fluentd - ops_host: "{{ fluentd_ops_host.stdout }}" - ops_port: "{{ fluentd_ops_port.stdout }}" - fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector_key.stdout}}" - fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector_value.stdout}}" + ops_host: "{{ fluentd_ops_host }}" + ops_port: "{{ fluentd_ops_port }}" + fluentd_nodeselector_key: "{{openshift_logging_fluentd_nodeselector.keys()[0]}}" + fluentd_nodeselector_value: "{{openshift_logging_fluentd_nodeselector.values()[0]}}" + check_mode: no + changed_when: no + +- name: "Check fluentd privileged permissions" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get scc/privileged -o jsonpath='{.users}' + register: fluentd_privileged check_mode: no + changed_when: no -- name: "Set permissions for fluentd" +- name: "Set privileged permissions for fluentd" command: > {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-scc-to-user privileged system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd register: fluentd_output failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr" check_mode: no + when: fluentd_privileged.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1 + +- name: "Check fluentd cluster-reader permissions" + command: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + get clusterrolebinding/cluster-readers -o jsonpath='{.userNames}' + register: fluentd_cluster_reader + check_mode: no + changed_when: no -- name: "Set additional permissions for fluentd" +- name: "Set cluster-reader permissions for fluentd" command: > {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user cluster-reader system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" check_mode: no + when: fluentd_cluster_reader.stdout.find("system:serviceaccount:{{openshift_logging_namespace}}:aggregated-logging-fluentd") == -1 |