-
New Feature
-
Resolution: Unresolved
-
Major
-
latest versions of jenkins and kubernetes plugin
We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their own scoped folder. With the kubernetes plugin we would like to give each software team their own configured cloud, while using their own folder scoped credential to be used with the configured cloud
With the Kubernetes plugin the cloud configuration is stored globally, and thus also the credential. This means that scoped software teams could possibly read/misuse each other credential ID's which is bad from security perspective.
We programmatically tried changing the credential ID (using groovy) to a folder scoped credential, however this was not allowed as the routine assumes the credential is in the global credential store because of default context being set here
https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L126
And eventually being used here
https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L285
So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credentialsId on the spot, which also provides the right folder context (from the job). Such a declarative pipeline would look something like this:
pipeline { agent { kubernetes { cloud 'team-a-cloud' credentialsId 'team-a-credential-id' yamlFile 'KubernetesPod.yaml' } } // ... stages, etc }
The credentialId and context should NOT be stored in the Cloud object as these values are temporary and only applicable for this job.
[JENKINS-73872] Folder credential injection in kubernetes cloud from declarative pipeline
Summary | Original: Dynamic credential injection | New: Dynamic credential injection kubernetes cloud |
Assignee | New: Marco [ markri ] |
Description |
Original:
We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their folder scope. With the kubernetes plugin we would like to give each software team their own configured cloud (locked to their folder)
With the Kubernetes plugin the cloud configuration is stored globally. This is fine, however the used credential ID must therefore also be in the global credential store. This means that scoped software teams could possibly read each other credential ID's which is not fine. We tried changing the credential ID (programmatically) to a folder scoped credential, however this is not allowed as the routine assumes the credential is in the global credential store: [https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L256] So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credential on the spot using an extra property (in the declarative pipeline), something like this {code:java} pipeline { agent { kubernetes { cloud 'team-a-cloud' credentialId 'team-a-credential-id' yamlFile 'KubernetesPod.yaml' } } // ... stages, etc } {code} So when "credentialId" is specified it would do a dynamic lookup (in global AND folder scoped credential folder), find it and use it instead |
New:
We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their own scoped folder. With the kubernetes plugin we would like to give each software team their own configured cloud, while using their own folder scoped credential to be used with the configured cloud
With the Kubernetes plugin the cloud configuration is stored globally, and thus also the credential. This means that scoped software teams could possibly read/misuse each other credential ID's which is bad from security perspective. We programmatically tried changing the credential ID (using groovy) to a folder scoped credential, however this was not allowed as the routine assumes the credential is in the global credential store because of default context being set here [https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L126] And eventually being used here https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L285 So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credentialsId on the spot, which also provides the right folder context (from the job). Such a declarative pipeline would look something like this: {code:java} pipeline { agent { kubernetes { cloud 'team-a-cloud' credentialsId 'team-a-credential-id' yamlFile 'KubernetesPod.yaml' } } // ... stages, etc } {code} The credentialId and context should NOT be stored in the Cloud object as these values are temporary and only applicable for this job. |
Summary | Original: Dynamic credential injection kubernetes cloud | New: Folder credential injection in kubernetes cloud from declarative pipeline |