-
New Feature
-
Resolution: Unresolved
-
Minor
-
None
We'd like to be able to provide node isolation from the build containers. One major way to ensure this is to restrict the ability to create privileged containers to the Jenkins Configuration.
The privileged containers can then be restricted in the manner the end user needs to prevent further abuse.
- is related to
-
-
- Open
-
[JENKINS-46003] Restrict ability to allow privileged containers to only exist in System Configuration
Matthew Ludlum
created issue -
| Link | New: This issue is related to JENKINS-45680 [ JENKINS-45680 ] |
Matthew Ludlum
made changes -
| Assignee | Original: Carlos Sanchez [ csanchez ] | New: Matthew Ludlum [ seakip18 ] |
Matthew Ludlum
made changes -
| Assignee | Original: Matthew Ludlum [ seakip18 ] | New: Carlos Sanchez [ csanchez ] |
| Assignee | Original: Carlos Sanchez [ csanchez ] |
Matthew Ludlum
added a comment - Revisiting this ticket as much as changed but still not much.
A better idea behind this might be to define how a mutating web controller in the kubernetes space can interact with the plugin or at least it's scheduling to help provide this implementation.
Matthew Ludlum
added a comment - Revisiting this ticket as much as changed but still not much.
A better idea behind this might be to define how a mutating web controller in the kubernetes space can interact with the plugin or at least it's scheduling to help provide this implementation.
The driving use case for this is DIND setups - allowing the docker daemon to reachable to other containers in the pod.
Using Authz, we can prevent the ability to to abuse the DIND daemon, but we need to then restrict the ability of others to bypass this by spinning up their containers in a pod that are privileged.