-
New Feature
-
Resolution: Unresolved
-
Minor
When creating jobs they can specify the node they want to use using labels, or if they don't specify labels, the default node is taken.
For security reasons, when running jobs from pull requests we would want to limit which jobs can run on which nodes.
Some nodes have powerful permissions on AWS, like access to production resources.
If any job can use that node, it exposes a security vulnerability.
We run jobs from pull requests, if someone uses incorrect label, they can have access to production environment.
This is even worse for open source projects, where everyone can submit a pull request, if the Jenkinsfile (with the pipeline and the node definition) can request using a node with high permissions, it exposes a security issue.
My suggestion is to add a configuration for the nodes using a regular expression for the job names that can use that node.
This will allow the admin to create the jobs and restrict the access to the nodes with high access permissions.
So like the job can choose on which nodes it wants to run, the node can limit which jobs it allows to run