From f50ea8ec5d3422c8ec61aad273d0bfb5a9b5fa75 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Tue, 20 Jun 2017 14:45:44 -0400 Subject: Adding option for serviceAccountConfig.limitSecretReferences --- inventory/byo/hosts.origin.example | 3 +++ inventory/byo/hosts.ose.example | 3 +++ roles/openshift_master/README.md | 25 +++++++++++----------- roles/openshift_master/templates/master.yaml.v1.j2 | 2 +- 4 files changed, 20 insertions(+), 13 deletions(-) diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 962a01a91..300d45e72 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -815,6 +815,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Controls validity for etcd CA, peer, server and client certificates. # #etcd_ca_default_days=1825 +# +# ServiceAccountConfig:LimitSecretRefences rejects pods that reference secrets their service accounts do not reference +# openshift_master_saconfig_limitsecretreferences=false # Upgrade Control # diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 63f1f00d2..8dce572bb 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -811,6 +811,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Controls validity for etcd CA, peer, server and client certificates. # #etcd_ca_default_days=1825 +# +# ServiceAccountConfig:LimitSecretRefences rejects pods that reference secrets their service accounts do not reference +# openshift_master_saconfig_limitsecretreferences=false # Upgrade Control # diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md index e5362105c..a80eea6a1 100644 --- a/roles/openshift_master/README.md +++ b/roles/openshift_master/README.md @@ -15,18 +15,19 @@ Role Variables From this role: -| Name | Default value | | -|-------------------------------------|-----------------------|-------------------------------------------------------------------------------| -| openshift_master_debug_level | openshift_debug_level | Verbosity of the debug logs for master | -| openshift_node_ips | [] | List of the openshift node ip addresses to pre-register when master starts up | -| oreg_url | UNDEF | Default docker registry to use | -| oreg_url_master | UNDEF | Default docker registry to use, specifically on the master | -| openshift_master_api_port | UNDEF | | -| openshift_master_console_port | UNDEF | | -| openshift_master_api_url | UNDEF | | -| openshift_master_console_url | UNDEF | | -| openshift_master_public_api_url | UNDEF | | -| openshift_master_public_console_url | UNDEF | | +| Name | Default value | | +|--------------------------------------------------|-----------------------|-------------------------------------------------------------------------------| +| openshift_master_debug_level | openshift_debug_level | Verbosity of the debug logs for master | +| openshift_node_ips | [] | List of the openshift node ip addresses to pre-register when master starts up | +| oreg_url | UNDEF | Default docker registry to use | +| oreg_url_master | UNDEF | Default docker registry to use, specifically on the master | +| openshift_master_api_port | UNDEF | | +| openshift_master_console_port | UNDEF | | +| openshift_master_api_url | UNDEF | | +| openshift_master_console_url | UNDEF | | +| openshift_master_public_api_url | UNDEF | | +| openshift_master_public_console_url | UNDEF | | +| openshift_master_saconfig_limitsecretrefereces | UNDEF | | From openshift_common: diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 6c26e5092..af3ebc6d2 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -235,7 +235,7 @@ projectConfig: routingConfig: subdomain: "{{ openshift_master_default_subdomain | default("") }}" serviceAccountConfig: - limitSecretReferences: false + limitSecretReferences: {{ openshift_master_saconfig_limitsecretreferences | default(false) }} managedNames: - default - builder -- cgit v1.2.1