ansibleplaybookbundle / ansible-playbook-bundle

THIS REPO IS MIGRATING: https://github.com/automationbroker/apb
GNU General Public License v2.0
140 stars 70 forks source link

Question: Is it possible to create objects in openshift namespace? #312

Open ghost opened 6 years ago

ghost commented 6 years ago

Quite a simple question: in my APB I need to create imageStreams and buildConfigs in OpenShift namespace. I failed to find any docs on how to grant APB service account admin privileges.

Currently I see this:

fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to create object: imagestreams is forbidden: User \"system:serviceaccount:localregistry-test-prov-h8tmm:bundle-7b3a3764-f7e3-4b00-86f4-1b1bb9bcf4e2\" cannot create imagestreams in the namespace \"openshift\": User \"system:serviceaccount:localregistry-test-prov-h8tmm:bundle-7b3a3764-f7e3-4b00-86f4-1b1bb9bcf4e2\" cannot create imagestreams in project \"openshift\""}

Is there any way to grant system:serviceaccount:localregistry-test-prov-h8tmm:bundle-xxx cluster-admin role?

djzager commented 6 years ago

I think the primary hurdle that you will face is that the APB service account is using a RoleBinding. This means that, even if you were to grant the APB service account cluster-admin privileges (and this would involve modifying the cluster role the broker uses as well as the sandbox role), the APB would still only have these permissions over the "target" namespace.

My understanding is that the work on namespaced brokers in the service-catalog is meant to, in the future, support APBs of this kind. However, I am not aware of support from the broker to use ClusterRoleBindings (which you would need to create objects in a namespace other than the "target" namespace).

As a workaround, your APB could accept credentials as parameters. Then, in your APB you could simply authenticate with the cluster using those credentials and proceed with administrator permissions.

ruromero commented 6 years ago

An example: In the apb.yml file

- name: user_token
  title: User token
  description: User token to perform privileged actions
  required: true
  type: string

Then in your playbooks/roles

- name: use token
  openshift_raw:
    api_version: v1
    api_key: "{{ user_token }}"
    state: present
    kind: namespace
    name: testproject

- name: Create image stream
  openshift_raw:
    state: present
    api_key: "{{ user_token }}"
    definition:
      apiVersion: v1
      kind: ImageStream
      namespace: openshift
      name: "my-image-stream"
      spec:
        tags:
          - name: "latest"

And then you can try out with this from the command line (if you need to):

ansible-playbook -vvv test.yaml -e user_token=`oc whoami -t`
ghost commented 6 years ago

@ruromero thanks. That might be a workaround in my case.

ghost commented 6 years ago

@djzager @ruromero

I never got to work the following task:

- name: Create image stream
  openshift_raw:
    state: present
    force: yes
    api_key: bCCdyBrug7xWdi6Mdzc4UMQMtDoOjEyd7CjmXwITfJ1
    definition:
      apiVersion: v1
      kind: ImageStream
      metadata:
        namespace: "openshift"
        name: "rhel-base-jdk8"
      spec:
        tags:
          - name: "latest"

When providing a token I get:

fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to create object: imagestreams is forbidden: User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in the namespace \"openshift\": User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in project \"openshift\""}

Same results, when having username and password.