Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65405

Jenkins ec2 plugin should allow restricting jobs that can use nodes

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When creating jobs they can specify the node they want to use using labels, or if they don't specify labels, the default node is taken.

      For security reasons, when running jobs from pull requests we would want to limit which jobs can run on which nodes.

      Some nodes have powerful permissions on AWS, like access to production resources.

      If any job can use that node, it exposes a security vulnerability.

      We run jobs from pull requests, if someone uses incorrect label, they can have access to production environment.

      This is even worse for open source projects, where everyone can submit a pull request, if the Jenkinsfile (with the pipeline and the node definition) can request using a node with high permissions, it exposes a security issue.

      My suggestion is to add a configuration for the nodes using a regular expression for the job names that can use that node.

      This will allow the admin to create the jobs and restrict the access to the nodes with high access permissions.

      So like the job can choose on which nodes it wants to run, the node can limit which jobs it allows to run

        Attachments

          Activity

            People

            Assignee:
            thoulen FABRIZIO MANFREDI
            Reporter:
            slavik57 Slava Shpitalny
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: