Skip to content

Commit

Permalink
Add deployment of keystone_auth_default_policy
Browse files Browse the repository at this point in the history 
In case `keystone-auth-enabled` is true in k8s template, magnum requires
keystone_auth_default_policy file to be present.
At this point we suggest creating corresponding roles by deployers
manually, since it's not enabled by default or used widely.

Change-Id: I77bfd3026e3168d7504ef3dc5214cfe706c525dd
  • Loading branch information
Dmitriy Rabotyagov committed Sep 14, 2020
1 parent 6d880c3 commit 200dcd8
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 0 deletions.
1 change: 1 addition & 0 deletions defaults/main.yml
View file
Expand Up @@ -66,6 +66,7 @@ magnum_service_adminurl: "{{ magnum_service_adminuri_proto }}://{{ internal_lb_v
magnum_config_overrides: {}
magnum_policy_overrides: {}
magnum_api_paste_ini_overrides: {}
magnum_keystone_auth_default_policy: []

magnum_pip_install_args: "{{ pip_install_options | default('') }}"

Expand Down
5 changes: 5 additions & 0 deletions tasks/magnum_post_install.yml
View file
Expand Up @@ -35,6 +35,11 @@
destination: "{{ magnum_etc_directory }}/api-paste.ini"
config_overrides: "{{ magnum_api_paste_ini_overrides }}"
config_type: "ini"
- source: "keystone_auth_default_policy.json.j2"
destination: "{{ magnum_etc_directory }}/keystone_auth_default_policy.json"
config_overrides: "{{ magnum_keystone_auth_default_policy }}"
config_type: "json"

notify:
- Restart magnum services
- Restart uwsgi services
76 changes: 76 additions & 0 deletions templates/keystone_auth_default_policy.json.j2
View file
@@ -0,0 +1,76 @@
[
{
"users":{
"roles":[
"k8s_admin"
],
"projects":[
"$PROJECT_ID"
]
},
"resource_permissions":{
"*/*":[
"*"
]
},
"nonresource_permissions":{
"/healthz":[
"get",
"post"
]
}
},
{
"users":{
"roles":[
"k8s_developer"
],
"projects":[
"$PROJECT_ID"
]
},
"resource_permissions":{
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews', 'tokenReviews']":[
"*"
],
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
"get",
"list",
"watch"
],
"*/['certificateSigningRequests']":[
"create",
"delete",
"get",
"list",
"watch",
"update"
]
}
},
{
"users":{
"roles":[
"k8s_viewer"
],
"projects":[
"$PROJECT_ID"
]
},
"resource_permissions":{
"!kube-system/['tokenReviews']":[
"*"
],
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews']":[
"get",
"list",
"watch"
],
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
"get",
"list",
"watch"
]
}
}
]

0 comments on commit 200dcd8

Please sign in to comment.