Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56049

Limit pods' access to cluster resources

XMLWordPrintable

      The kubernetes-plugin for Jenkins requires that the Jenkins master can access the api-server for, among other things, creating pods. This means that if Jenkins slaves use the same service account as the Jenkins master, users can grant themselves cluster permissions they are not authorised to have. We already have the ability to make job pods spawn in another namespace (through cloud - kubernetes namespace), which would solve this. Unfortunately, nothing prevents a user from creating a job where they override this value. We want an option to be able to disallow use of the podTemplate field allowing them to configure what namespace to run pods in. 

          [JENKINS-56049] Limit pods' access to cluster resources

          Erik Aaron Hansen created issue -
          Jesse Glick made changes -
          Assignee Original: Carlos Sanchez [ csanchez ]

          Vincent Latombe added a comment - - edited

           

          This means that if Jenkins slaves use the same service account as the Jenkins master, users can grant themselves cluster permissions they are not authorised to have.

           

          Don't run your Jenkins master as cluster-admin. Run the Jenkins instance with the bare minimum permissions to do its job.

          Vincent Latombe added a comment - - edited   This means that if Jenkins slaves use the same service account as the Jenkins master, users can grant themselves cluster permissions they are not authorised to have.   Don't run your Jenkins master as cluster-admin. Run the Jenkins instance with the bare minimum permissions to do its job.
          Vincent Latombe made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Closed [ 6 ]

            Unassigned Unassigned
            erihanse Erik Aaron Hansen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: