Allow appowners to create pods in MirrorManager

Ref: https://discussion.fedoraproject.org/t/openshift-permissions-for-appowners/133816

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/mirrormanager.yml

@@ -52,6 +52,7 @@
         - abompard
         - nphilipp
         - adrian
+      allow_pod_creation: true
       tags:
         - apply-appowners
 

roles/openshift/project/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 allow_fas_db: false
 allow_iad2: true
+allow_pod_creation: false
 
 egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"
 

roles/openshift/project/templates/role-appowners.yml

@@ -17,9 +17,6 @@ rules:
   resources:
   - endpoints
   - persistentvolumeclaims
-  - pods
-  - pods/attach
-  - pods/exec
   - replicationcontrollers
   - serviceaccounts
   - services
@@ -32,6 +29,23 @@ rules:
   - delete
   - update
 {% endif %}
+# Permissions for pods
+- apiGroups:
+  - "*"
+  attributeRestrictions: null
+  resources:
+  - pods
+  - pods/attach
+  - pods/exec
+  verbs:
+  - get
+  - list
+  - watch
+{% if env == "staging" or allow_pod_creation %}
+  - create
+  - delete
+  - update
+{% endif %}
 - apiGroups:
   - "*"
   attributeRestrictions: null