[JIRA] (JENKINS-56049) Limit pods' access to cluster resources

2 views
Skip to first unread message

erikah@netcompany.com (JIRA)

unread,
Feb 8, 2019, 5:15:02 AM2/8/19
to jenkinsc...@googlegroups.com
Erik Aaron Hansen created an issue
 
Jenkins / Improvement JENKINS-56049
Limit pods' access to cluster resources
Issue Type: Improvement Improvement
Assignee: Carlos Sanchez
Components: kubernetes-plugin
Created: 2019-02-08 10:14
Labels: security kubernetes-plugin namespace
Priority: Critical Critical
Reporter: Erik Aaron Hansen

The kubernetes-plugin for Jenkins requires that the Jenkins master can access the api-server for, among other things, creating pods. This means that if Jenkins slaves use the same service account as the Jenkins master, users can grant themselves cluster permissions they are not authorised to have. We already have the ability to make job pods spawn in another namespace (through cloud - kubernetes namespace), which would solve this. Unfortunately, nothing prevents a user from creating a job where they override this value. We want an option to be able to disallow use of the podTemplate field allowing them to configure what namespace to run pods in. 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

jglick@cloudbees.com (JIRA)

unread,
Jul 16, 2019, 3:43:42 PM7/16/19
to jenkinsc...@googlegroups.com
Jesse Glick assigned an issue to Unassigned
Change By: Jesse Glick
Assignee: Carlos Sanchez
Reply all
Reply to author
Forward
0 new messages