From a87be8843ad5fe9ab8aa4078e7d420534a8f3f7a Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Tue, 22 Aug 2017 21:12:36 +0000
Subject: [PATCH] Set up Openshift roles

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 playbooks/groups/os-cluster.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/playbooks/groups/os-cluster.yml b/playbooks/groups/os-cluster.yml
index fd0f2b04e1..a167f7bc4d 100644
--- a/playbooks/groups/os-cluster.yml
+++ b/playbooks/groups/os-cluster.yml
@@ -159,3 +159,14 @@
   tasks:
     - name: enable nrpe for monitoring (noc01)
       iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
+    - name: Disallow users from provisioning
+      command: oadm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
+      changed_when: false
+    - name: Allow some users cluster admin
+      command: oadm policy add-cluster-role-to-user cluster-admin {{item}}
+      with_items:
+      - puiterwijk
+      - kevin
+      - codeblock
+      - smooge
+      changed_when: false