From 09aadeef84c1277fbbd4b114eb3270261456f5e3 Mon Sep 17 00:00:00 2001
From: Ryan Hallisey <rhallise@redhat.com>
Date: Tue, 11 Jul 2017 13:36:02 -0400
Subject: Add an SA policy to the ansible-service-broker

We are not adding a role to the service account after creation.
The ansible-service-broker will require cluster-admin permissions
because we do things like: creating service accounts, projects,
and pods.
---
 roles/ansible_service_broker/tasks/install.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'roles/ansible_service_broker')

diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 65dffc89b..58b3eb859 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -42,6 +42,14 @@
     namespace: openshift-ansible-service-broker
     state: present
 
+- name: Set SA cluster-role
+  oc_adm_policy_user:
+    state: present
+    namespace: "openshift-ansible-service-broker"
+    resource_kind: cluster-role
+    resource_name: cluster-admin
+    user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
 - name: create ansible-service-broker service
   oc_service:
     name: asb
-- 
cgit v1.2.1