break out osbs_worker and osbs_orchestrator namespace perms

Signed-off-by: Adam Miller <admiller@redhat.com>
2017-08-04 14:55:45 +00:00 · 2017-08-04 14:55:45 +00:00 · c77d72e98c
commit c77d72e98c
parent a3b31cc39d
2 changed files with 27 additions and 15 deletions
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@ -91,15 +91,27 @@ kubeconfig_path: /etc/origin/master/admin.kubeconfig
 osbs_env:
  HOME: "{{ lookup('env', 'HOME') }}"
  KUBECONFIG: "{{ osbs_kubeconfig_path }}"
-os_readonly_users:
- "system:serviceaccount:{{ osbs_namespace }}:metrics"
-os_readonly_groups:
+
+osbs_orchestrator_readonly_users:
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:metrics"
+osbs_orchestrator_readonly_groups:
 - "system:authenticated"
-os_readwrite_groups: []
-os_readwrite_users:
+osbs_orchestrator_readwrite_groups: []
+osbs_orchestrator_readwrite_users:
 - "{{ ansible_hostname }}"
- "system:serviceaccount:{{ osbs_namespace }}:default"
- "system:serviceaccount:{{ osbs_namespace }}:builder"
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:default"
+- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:builder"
+
+osbs_worker_readonly_users:
+- "system:serviceaccount:{{ osbs_worker_namespace }}:metrics"
+osbs_worker_readonly_groups:
+- "system:authenticated"
+osbs_worker_readwrite_groups: []
+osbs_worker_readwrite_users:
+- "{{ ansible_hostname }}"
+- "system:serviceaccount:{{ osbs_worker_namespace }}:default"
+- "system:serviceaccount:{{ osbs_worker_namespace }}:builder"
+
 os_admin_users:
 - kevin
 - puiterwijk
--- a/playbooks/groups/osbs-orchestrator-cluster.yml
+++ b/playbooks/groups/osbs-orchestrator-cluster.yml
@ -352,10 +352,10 @@
    osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
    osbs_admin_groups: "{{ os_admin_groups }}"
    osbs_admin_users: "{{ os_admin_users }}"
-    osbs_readonly_groups: "{{ os_readonly_groups }}"
-    osbs_readonly_users: "{{ os_readonly_users }}"
-    osbs_readwrite_groups: "{{ os_readwrite_groups }}"
-    osbs_readwrite_users: "{{ os_readwrite_users }}"
+    osbs_readonly_groups: "{{ osbs_orchestrator_readonly_groups }}"
+    osbs_readonly_users: "{{ osbs_orchestrator_readonly_groups }}"
+    osbs_readwrite_groups: "{{ osbs_orchestrator_readwrite_groups }}"
+    osbs_readwrite_users: "{{ osbs_orchestrator_readwrite_users }}"
    osbs_orchestrator: true
    osbs_worker_clusters: "{{ worker_clusters }}"
    osbs_koji_secret_name: "{{ koji_secret_name }}"
@ -407,10 +407,10 @@
    osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
    osbs_admin_groups: "{{ os_admin_groups }}"
    osbs_admin_users: "{{ os_admin_users }}"
-    osbs_readonly_groups: "{{ os_readonly_groups }}"
-    osbs_readonly_users: "{{ os_readonly_users }}"
-    osbs_readwrite_groups: "{{ os_readwrite_groups }}"
-    osbs_readwrite_users: "{{ os_readwrite_users }}"
+    osbs_readonly_groups: "{{ osbs_worker_readonly_groups }}"
+    osbs_readonly_users: "{{ osbs_worker_readonly_groups }}"
+    osbs_readwrite_groups: "{{ osbs_worker_readwrite_groups }}"
+    osbs_readwrite_users: "{{ osbs_worker_readwrite_users }}"
    osbs_orchestrator: false
    osbs_worker_clusters: "{{ worker_clusters }}"
    osbs_koji_secret_name: "{{ koji_secret_name }}"