Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46003

Restrict ability to allow privileged containers to only exist in System Configuration

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • kubernetes-plugin
    • None

      We'd like to be able to provide node isolation from the build containers. One major way to ensure this is to restrict the ability to create privileged containers to the Jenkins Configuration.

       

      The privileged containers can then be restricted in the manner the end user needs to prevent further abuse.

          [JENKINS-46003] Restrict ability to allow privileged containers to only exist in System Configuration

          The driving use case for this is DIND setups - allowing the docker daemon to reachable to other containers in the pod.

          Using Authz, we can prevent the ability to to abuse the DIND daemon, but we need to then restrict the ability of others to bypass this by spinning up their containers in a pod that are privileged.

          Matthew Ludlum added a comment - The driving use case for this is DIND setups - allowing the docker daemon to reachable to other containers in the pod. Using Authz, we can prevent the ability to to abuse the DIND daemon, but we need to then restrict the ability of others to bypass this by spinning up their containers in a pod that are privileged.

          Revisiting this ticket as much as changed but still not much.

          A better idea behind this might be to define how a mutating web controller in the kubernetes space can interact with the plugin or at least it's scheduling to help provide this implementation.

           

          Matthew Ludlum added a comment - Revisiting this ticket as much as changed but still not much. A better idea behind this might be to define how a mutating web controller in the kubernetes space can interact with the plugin or at least it's scheduling to help provide this implementation.  

            Unassigned Unassigned
            seakip18 Matthew Ludlum
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: