From ea58cf067805e2d948f7c14f03424c1620c26ff4 Mon Sep 17 00:00:00 2001 From: Cedric Girard Date: Fri, 11 Jan 2019 15:17:42 +0100 Subject: [PATCH] default config to enforce quotas on new users --- devolab-user-config/default-template.yaml | 91 +++++++++++++++++++ .../tshirt-quotas.yaml | 0 2 files changed, 91 insertions(+) create mode 100644 devolab-user-config/default-template.yaml rename tshirt-quotas.yaml => devolab-user-config/tshirt-quotas.yaml (100%) diff --git a/devolab-user-config/default-template.yaml b/devolab-user-config/default-template.yaml new file mode 100644 index 0000000..9272890 --- /dev/null +++ b/devolab-user-config/default-template.yaml @@ -0,0 +1,91 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + creationTimestamp: null + name: project-request +objects: +- apiVersion: project.openshift.io/v1 + kind: Project + metadata: + annotations: + openshift.io/description: ${PROJECT_DESCRIPTION} + openshift.io/display-name: ${PROJECT_DISPLAYNAME} + openshift.io/requester: ${PROJECT_REQUESTING_USER} + labels: + size: small + creationTimestamp: null + name: ${PROJECT_NAME} + spec: {} + status: {} +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows all pods in this namespace to pull images from + this namespace. It is auto-managed by a controller; remove subjects to disable. + creationTimestamp: null + name: system:image-pullers + namespace: ${PROJECT_NAME} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-puller + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:serviceaccounts:${PROJECT_NAME} +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows builds in this namespace to push images to + this namespace. It is auto-managed by a controller; remove subjects to disable. + creationTimestamp: null + name: system:image-builders + namespace: ${PROJECT_NAME} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:image-builder + subjects: + - kind: ServiceAccount + name: builder + namespace: ${PROJECT_NAME} +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + openshift.io/description: Allows deploymentconfigs in this namespace to rollout + pods in this namespace. It is auto-managed by a controller; remove subjects + to disable. + creationTimestamp: null + name: system:deployers + namespace: ${PROJECT_NAME} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:deployer + subjects: + - kind: ServiceAccount + name: deployer + namespace: ${PROJECT_NAME} +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + creationTimestamp: null + name: admin + namespace: ${PROJECT_NAME} + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: ${PROJECT_ADMIN_USER} +parameters: +- name: PROJECT_NAME +- name: PROJECT_DISPLAYNAME +- name: PROJECT_DESCRIPTION +- name: PROJECT_ADMIN_USER +- name: PROJECT_REQUESTING_USER diff --git a/tshirt-quotas.yaml b/devolab-user-config/tshirt-quotas.yaml similarity index 100% rename from tshirt-quotas.yaml rename to devolab-user-config/tshirt-quotas.yaml