Open ghost opened 6 years ago
I think the primary hurdle that you will face is that the APB service account is using a RoleBinding
. This means that, even if you were to grant the APB service account cluster-admin
privileges (and this would involve modifying the cluster role the broker uses as well as the sandbox role), the APB would still only have these permissions over the "target" namespace.
My understanding is that the work on namespaced brokers in the service-catalog is meant to, in the future, support APBs of this kind. However, I am not aware of support from the broker to use ClusterRoleBindings
(which you would need to create objects in a namespace other than the "target" namespace).
As a workaround, your APB could accept credentials as parameters. Then, in your APB you could simply authenticate with the cluster using those credentials and proceed with administrator permissions.
An example: In the apb.yml file
- name: user_token
title: User token
description: User token to perform privileged actions
required: true
type: string
Then in your playbooks/roles
- name: use token
openshift_raw:
api_version: v1
api_key: "{{ user_token }}"
state: present
kind: namespace
name: testproject
- name: Create image stream
openshift_raw:
state: present
api_key: "{{ user_token }}"
definition:
apiVersion: v1
kind: ImageStream
namespace: openshift
name: "my-image-stream"
spec:
tags:
- name: "latest"
And then you can try out with this from the command line (if you need to):
ansible-playbook -vvv test.yaml -e user_token=`oc whoami -t`
@ruromero thanks. That might be a workaround in my case.
@djzager @ruromero
I never got to work the following task:
- name: Create image stream
openshift_raw:
state: present
force: yes
api_key: bCCdyBrug7xWdi6Mdzc4UMQMtDoOjEyd7CjmXwITfJ1
definition:
apiVersion: v1
kind: ImageStream
metadata:
namespace: "openshift"
name: "rhel-base-jdk8"
spec:
tags:
- name: "latest"
When providing a token I get:
fatal: [localhost]: FAILED! => {"changed": false, "error": 403, "msg": "Failed to create object: imagestreams is forbidden: User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in the namespace \"openshift\": User \"system:serviceaccount:localregistry-xxx-prov-ps4g2:bundle-8e964018-8d93-4fb6-8c43-72a6c98d322e\" cannot create imagestreams in project \"openshift\""}
Same results, when having username and password.
Quite a simple question: in my APB I need to create imageStreams and buildConfigs in OpenShift namespace. I failed to find any docs on how to grant APB service account admin privileges.
Currently I see this:
Is there any way to grant
system:serviceaccount:localregistry-test-prov-h8tmm:bundle-xxx
cluster-admin role?