From ceb97e5809504720f744b3538d95dc8a4e8f4f71 Mon Sep 17 00:00:00 2001 From: Erwan Miran Date: Wed, 29 Aug 2018 11:35:00 +0200 Subject: [PATCH] Fix wrong syntax for jinja sub list extraction and addition of missing role template --- .../local_volume_provisioner/tasks/main.yml | 2 +- .../local-volume-provisioner-psp-role.yml.j2 | 15 +++++++++++++++ roles/kubernetes-apps/registry/tasks/main.yml | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-role.yml.j2 diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml index 448563922..070f4c00c 100644 --- a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml +++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/tasks/main.yml @@ -35,7 +35,7 @@ - name: Local Volume Provisioner | Insert extra templates to Local Volume Provisioner templates list for PodSecurityPolicy set_fact: - local_volume_provisioner_templates: "{{ local_volume_provisioner_templates[:2] + local_volume_provisioner_templates_for_psp_not_system_ns + local_volume_provisioner_templates[3:] }}" + local_volume_provisioner_templates: "{{ local_volume_provisioner_templates[:2] + local_volume_provisioner_templates_for_psp_not_system_ns + local_volume_provisioner_templates[2:] }}" when: - podsecuritypolicy_enabled - local_volume_provisioner_namespace != "kube-system" diff --git a/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-role.yml.j2 b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-role.yml.j2 new file mode 100644 index 000000000..40a530972 --- /dev/null +++ b/roles/kubernetes-apps/external_provisioner/local_volume_provisioner/templates/local-volume-provisioner-psp-role.yml.j2 @@ -0,0 +1,15 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: psp:local-volume-provisioner + namespace: {{ local_volume_provisioner_namespace }} +rules: + - apiGroups: + - policy + resourceNames: + - local-volume-provisioner + resources: + - podsecuritypolicies + verbs: + - use diff --git a/roles/kubernetes-apps/registry/tasks/main.yml b/roles/kubernetes-apps/registry/tasks/main.yml index 6272ef5fb..fd8cb82e3 100644 --- a/roles/kubernetes-apps/registry/tasks/main.yml +++ b/roles/kubernetes-apps/registry/tasks/main.yml @@ -27,7 +27,7 @@ - name: Registry | Append extra templates to Registry Templates list for PodSecurityPolicy set_fact: - registry_templates: "{{ registry_templates[:3] + registry_templates_for_psp + registry_templates[4:] }}" + registry_templates: "{{ registry_templates[:3] + registry_templates_for_psp + registry_templates[3:] }}" when: - podsecuritypolicy_enabled - registry_namespace != "kube-system"