From c77d72e98cf7a8837e4809de8e87f3654e00bda2 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 4 Aug 2017 14:55:45 +0000 Subject: [PATCH] break out osbs_worker and osbs_orchestrator namespace perms Signed-off-by: Adam Miller --- inventory/group_vars/osbs-stg | 26 ++++++++++++++----- .../groups/osbs-orchestrator-cluster.yml | 16 ++++++------ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg index 6dda9f0f4f..c1946af84f 100644 --- a/inventory/group_vars/osbs-stg +++ b/inventory/group_vars/osbs-stg @@ -91,15 +91,27 @@ kubeconfig_path: /etc/origin/master/admin.kubeconfig osbs_env: HOME: "{{ lookup('env', 'HOME') }}" KUBECONFIG: "{{ osbs_kubeconfig_path }}" -os_readonly_users: -- "system:serviceaccount:{{ osbs_namespace }}:metrics" -os_readonly_groups: + +osbs_orchestrator_readonly_users: +- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:metrics" +osbs_orchestrator_readonly_groups: - "system:authenticated" -os_readwrite_groups: [] -os_readwrite_users: +osbs_orchestrator_readwrite_groups: [] +osbs_orchestrator_readwrite_users: - "{{ ansible_hostname }}" -- "system:serviceaccount:{{ osbs_namespace }}:default" -- "system:serviceaccount:{{ osbs_namespace }}:builder" +- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:default" +- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:builder" + +osbs_worker_readonly_users: +- "system:serviceaccount:{{ osbs_worker_namespace }}:metrics" +osbs_worker_readonly_groups: +- "system:authenticated" +osbs_worker_readwrite_groups: [] +osbs_worker_readwrite_users: +- "{{ ansible_hostname }}" +- "system:serviceaccount:{{ osbs_worker_namespace }}:default" +- "system:serviceaccount:{{ osbs_worker_namespace }}:builder" + os_admin_users: - kevin - puiterwijk diff --git a/playbooks/groups/osbs-orchestrator-cluster.yml b/playbooks/groups/osbs-orchestrator-cluster.yml index d9ec2d6519..a3399ff9d7 100644 --- a/playbooks/groups/osbs-orchestrator-cluster.yml +++ b/playbooks/groups/osbs-orchestrator-cluster.yml @@ -352,10 +352,10 @@ osbs_cpu_limitrange: "{{ os_cpu_limitrange }}" osbs_admin_groups: "{{ os_admin_groups }}" osbs_admin_users: "{{ os_admin_users }}" - osbs_readonly_groups: "{{ os_readonly_groups }}" - osbs_readonly_users: "{{ os_readonly_users }}" - osbs_readwrite_groups: "{{ os_readwrite_groups }}" - osbs_readwrite_users: "{{ os_readwrite_users }}" + osbs_readonly_groups: "{{ osbs_orchestrator_readonly_groups }}" + osbs_readonly_users: "{{ osbs_orchestrator_readonly_groups }}" + osbs_readwrite_groups: "{{ osbs_orchestrator_readwrite_groups }}" + osbs_readwrite_users: "{{ osbs_orchestrator_readwrite_users }}" osbs_orchestrator: true osbs_worker_clusters: "{{ worker_clusters }}" osbs_koji_secret_name: "{{ koji_secret_name }}" @@ -407,10 +407,10 @@ osbs_service_accounts: "{{ osbs_worker_service_accounts }}" osbs_admin_groups: "{{ os_admin_groups }}" osbs_admin_users: "{{ os_admin_users }}" - osbs_readonly_groups: "{{ os_readonly_groups }}" - osbs_readonly_users: "{{ os_readonly_users }}" - osbs_readwrite_groups: "{{ os_readwrite_groups }}" - osbs_readwrite_users: "{{ os_readwrite_users }}" + osbs_readonly_groups: "{{ osbs_worker_readonly_groups }}" + osbs_readonly_users: "{{ osbs_worker_readonly_groups }}" + osbs_readwrite_groups: "{{ osbs_worker_readwrite_groups }}" + osbs_readwrite_users: "{{ osbs_worker_readwrite_users }}" osbs_orchestrator: false osbs_worker_clusters: "{{ worker_clusters }}" osbs_koji_secret_name: "{{ koji_secret_name }}"