Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40717

Enable authentication using Kubernetes service account token

      The plugin allows to use service accounts only when running in Kubernetes. However, service accounts can be used to access a kubernetes cluster from outside as well. See [1].

      To connect a Jenkins instance to an existing kubernetes cluster, it would be very natural for an admin to create a dedicated service account, assign it to a namespace and make use of it to configure the kubernetes plugin.

      Since the functionality is already there, I guess the effort would not be to high. Or is there any reason not to do so?

      [1] http://kubernetes.io/docs/admin/authentication/

          [JENKINS-40717] Enable authentication using Kubernetes service account token

          Chris Denneen added a comment -

          csanchez I agree with nitinpadalia When you add this type of Kubernetes Service Account in the Jenkins UI there is no Value field so it shows "Secret text" and you have no control over the value to add the serviceaccount name used or add a token needed for that serviceaccount name.

           

          Anyway to validate with 1.12.0 and 1.12.4 with LTS 2.121.3

          Chris Denneen added a comment - csanchez I agree with nitinpadalia When you add this type of Kubernetes Service Account in the Jenkins UI there is no Value field so it shows "Secret text" and you have no control over the value to add the serviceaccount name used or add a token needed for that serviceaccount name.   Anyway to validate with 1.12.0 and 1.12.4 with LTS 2.121.3

          you don't need a serviceaccount name to connect to k8s, just the token

          Carlos Sanchez added a comment - you don't need a serviceaccount name to connect to k8s, just the token

          Chris Denneen added a comment -

          Ok but as you can see from the attached screenshot there is no text field to paste that.

          Chris Denneen added a comment - Ok but as you can see from the attached screenshot there is no text field to paste that.

          Chris Denneen added a comment -

          Even trying OpenShift OAuth Token provides no field to paste Token

          Chris Denneen added a comment - Even trying OpenShift OAuth Token provides no field to paste Token

          You need to use the "Secret text" type and paste the token there

          Carlos Sanchez added a comment - You need to use the "Secret text" type and paste the token there

          Chris Denneen added a comment -

          OK thanks... if the rest of those types are deprecated is there any reason they haven't been removed?

          Chris Denneen added a comment - OK thanks... if the rest of those types are deprecated is there any reason they haven't been removed?

          the other types read the token from filesystem when running inside k8s
          it's not the most obvious UX for sure

          Carlos Sanchez added a comment - the other types read the token from filesystem when running inside k8s it's not the most obvious UX for sure

          Chris Denneen added a comment -

          Yeah I'm running jenkins from inside k8s so wouldn't the Kubernetes Service Account work? Nothing allows you to specify which service-account to use.

           

          I also just attached another screenshot showing POST error. I'm guessing this is because it's inside k8s? How do you get around this?

          Chris Denneen added a comment - Yeah I'm running jenkins from inside k8s so wouldn't the Kubernetes Service Account work? Nothing allows you to specify which service-account to use.   I also just attached another screenshot showing POST error. I'm guessing this is because it's inside k8s? How do you get around this?

          Chris Denneen added a comment - - edited

          https://medium.com/containerum/how-to-setup-ci-cd-workflow-for-node-js-apps-with-jenkins-and-kubernetes-360fd0499556

          Found this article which says to copy the token from the secrets and paste as the secret text but when I did that and ran Test Connection it failed... I had to get that token and pipe to base64 -D to decode and then pasted that and connection successful.

          Also without using any credentials the connection was successful and I would believe that is because it's deployed from within k8s using helm stable/jenkins but the helm chart says to add the serviceaccount from helm status to Jenkins Credentials.

          https://github.com/helm/charts/blob/master/stable/jenkins/README.md (RBAC Section)

          Chris Denneen added a comment - - edited https://medium.com/containerum/how-to-setup-ci-cd-workflow-for-node-js-apps-with-jenkins-and-kubernetes-360fd0499556 Found this article which says to copy the token from the secrets and paste as the secret text but when I did that and ran Test Connection it failed... I had to get that token and pipe to base64 -D to decode and then pasted that and connection successful. Also without using any credentials the connection was successful and I would believe that is because it's deployed from within k8s using helm stable/jenkins but the helm chart says to add the serviceaccount from helm status to Jenkins Credentials. https://github.com/helm/charts/blob/master/stable/jenkins/README.md (RBAC Section)

          it would be easier if questions are asked in the jenkins-user mailing list

          the post issue is a known one, filed somewhere
          you don't need any credentials or service account name when running in k8s. The serviceaccount name you want to use is set when you launch the jenkins master in its pod configuration

          Carlos Sanchez added a comment - it would be easier if questions are asked in the jenkins-user mailing list the post issue is a known one, filed somewhere you don't need any credentials or service account name when running in k8s. The serviceaccount name you want to use is set when you launch the jenkins master in its pod configuration

            Unassigned Unassigned
            hpartsch Holger Partsch
            Votes:
            5 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: