Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68661

Recent security changes in kubernetes-plugin increase security risks.

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Critical Critical
    • kubernetes-plugin
    • None
    • kubernetes-plugin: 3600.v144b_cd192ca_a_

      Hi,

      I have just upgraded our kubernetes-plugin to the latest `3600.v144b_cd192ca_a_` version.
      This version includes a severe breaking change which has not been noted in the plugin upgrade. It looks like in JENKINS-56687 has made it so that in order to run {}ANY{} job in the kubernetes cluster you need to configure each job via:

      Allow pipeline support for the following restricted Kubernetes Clouds 

[ ] My Kubernetes Cluster

      At a first glance this sounds sane and correct, but this actually creates a bigger security issue than what JENKINS-56687 is trying to solve.
       
      In previous versions you were able to configure templates in the GUI and just use `agent { label('xyz') }` which would provision the agent with all of the correct configurations. This also prevented the end user from messing around with the agent's configuration, because you were not able to use custom YAML nor `podTemplate()` to provision the agent yourself.
       
      With the current change, anybody can deploy any agent which exposes you to much bigger threats – specially when you are running an Open Source project and are building PRs from contributors (not to mention the risk you take if you are running this on baremetal)
       
      I understand abermudez 's request, but the implementation is not proper.
      What I would like to suggest is to have additional checkboxes for each cluster in the "Kubernetes Clouds" section under the job configuration:

       

      So, instead of having just `builds`, you would have something like this:

      Where:

      • use template agents - will allow you to use the agents you have configured via the GUI
      • run podTemplate agents - will allow you to use `podTemplate`
      • run raw yaml agents - will allow you to go wild and use whatever yaml you want 
      • not sure if it's possible, but maybe also an option which allows jenkins libraries to dynamically provision an agent (since jenkins libraries are usually provisioned by the devops in the company and they would know what they're doing)

       

      This approach would allow for much better security and will also honor JENKINS-56687's specs.

        1. image-2022-06-01-19-05-03-330.png
          image-2022-06-01-19-05-03-330.png
          10 kB
        2. image-2022-06-01-19-07-57-872.png
          image-2022-06-01-19-07-57-872.png
          15 kB

            Unassigned Unassigned
            stodorov Steve Todorov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: