From 65f21ee450cb3abcb2a2862d60578d3c6c068282 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Sun, 8 Oct 2017 21:45:19 +0200 Subject: [PATCH] Allow specifying appowners for projects Signed-off-by: Patrick Uiterwijk --- roles/openshift/project/tasks/main.yml | 12 + .../openshift/project/templates/appowners.yml | 13 + .../project/templates/role-appowners.yml | 222 ++++++++++++++++++ 3 files changed, 247 insertions(+) create mode 100644 roles/openshift/project/templates/appowners.yml create mode 100644 roles/openshift/project/templates/role-appowners.yml diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml index 311ff6cff5..db7dc8d197 100644 --- a/roles/openshift/project/tasks/main.yml +++ b/roles/openshift/project/tasks/main.yml @@ -28,3 +28,15 @@ name: openshift/object vars: template_fullpath: "{{roles_path}}/openshift/project/templates/imagepuller.yml" + +- name: role-appowners.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/roles-appowners.yml" + +- name: appowners.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml" diff --git a/roles/openshift/project/templates/appowners.yml b/roles/openshift/project/templates/appowners.yml new file mode 100644 index 0000000000..7b75889ccf --- /dev/null +++ b/roles/openshift/project/templates/appowners.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: RoleBinding +metadata: + namespace: "{{app}}" + name: appowners +roleRef: + kind: Role + name: appowner +subjects: +{% for owner in appowner %} +- kind: User + name: "{{owner}}" +{% endfor %} diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml new file mode 100644 index 0000000000..bff777a20a --- /dev/null +++ b/roles/openshift/project/templates/role-appowners.yml @@ -0,0 +1,222 @@ +apiVersion: v1 +kind: Role +metadata: + annotations: + openshift.io/description: An application owner. Can view everything but ConfigMaps. + name: appowner +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - serviceaccounts + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + - scheduledjobs + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + - deployments/scale + - horizontalpodautoscalers + - jobs + - replicasets + - replicasets/scale + verbs: + - get + - list + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - buildconfigs + - buildconfigs/webhooks + - builds + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - builds/log + verbs: + - get + - list + - watch +- apiGroups: + - build.openshift.io + attributeRestrictions: null + resources: + - jenkins + verbs: + - view +- apiGroups: + - "" + attributeRestrictions: null + resources: + - deploymentconfigs + - deploymentconfigs/scale + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - deploymentconfigs/log + - deploymentconfigs/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - imagestreamimages + - imagestreammappings + - imagestreams + - imagestreamtags + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - imagestreams/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - projects + verbs: + - get +- apiGroups: + - "" + attributeRestrictions: null + resources: + - appliedclusterresourcequotas + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - routes + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - routes/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - processedtemplates + - templateconfigs + - templates + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - buildlogs + verbs: + - get + - list + - watch +- apiGroups: + - "" + attributeRestrictions: null + resources: + - resourcequotausages + verbs: + - get + - list + - watch