public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #55 from jakalkhalili/v0.2.0 

#52 Add notice about rbac
This commit is contained in:
Tomasz Sęk 2019-07-15 16:51:26 +02:00 committed by GitHub
parent ba3da3502a c9f39e9de4
commit 0eae2988b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
docs/security.md
View File

@ -34,6 +34,59 @@ Kubernetes API permissions are limited by the following roles:
- [jenkins-operator role](../deploy/role.yaml) - [jenkins-operator role](../deploy/role.yaml)
- [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go) - [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go)
Since **jenkins-operator** must be able to grant permission for its' deployed Jenkins masters to spawn pods (the `Jenkins Master role` above),
the operator itself requires permission to create RBAC resources (the `jenkins-operator role` above).
Deployed this way, any subject which may create a Pod (including a Jenkins job) may
assume the `jenkins-operator` role by using its' ServiceAccount, create RBAC rules, and thus escape its granted permissions.
Any namespace to which the `jenkins-operator` is deployed must be considered to implicitly grant all
possible permissions to any subject which can create a Pod in that namespace.
To mitigate this issue **jenkins-operator** should be deployed in one namespace and the Jenkins CR should be created in separate namespace.
To achieve it change watch namespace in https://github.com/jenkinsci/kubernetes-operator/blob/master/deploy/operator.yaml#L25
## Setup Jenkins Operator and Jenkins in separated namespaces
You need to create two namespaces, for example we'll call them **jenkins** for Jenkins and **jenkins-operator** for Jenkins Operator.
```bash
$ kubectl create ns jenkins-operator
$ kubectl create ns jenkins
```
Next, apply the RBAC manifests for **jenkins-operator** namespace
```bash
$ kubectl -n jenkins-operator apply -f deploy/service_account.yaml
$ kubectl -n jenkins-operator apply -f deploy/role_binding.yaml
```
Create file role_binding_jenkins.yaml in `deploy` folder:
```yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
namespace: jenkins
subjects:
- kind: ServiceAccount
name: jenkins-operator
namespace: jenkins-operator
roleRef:
kind: Role
name: jenkins-operator
apiGroup: rbac.authorization.k8s.io
```
Then, apply RBAC rules for **jenkins** namespace
```bash
$ kubectl -n jenkins apply -f deploy/role.yaml
$ kubectl -n jenkins apply -f role_binding_jenkins.yaml
```
Finally, you must create operator pod by:
```bash
$ kubectl -n jenkins -n jenkins-operator apply -f deploy/operator.yaml
```
## Report a Security Vulnerability ## Report a Security Vulnerability
If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues). If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues).

2
pkg/controller/jenkins/client/jenkins.go
View File

@ -98,7 +98,7 @@ func BuildJenkinsAPIUrl(namespace, serviceName string, portNumber int32, local,
} }
// Connect through Kubernetes service, operator has to be run inside cluster // Connect through Kubernetes service, operator has to be run inside cluster
return fmt.Sprintf("http://%s:%d", serviceName, portNumber), nil return fmt.Sprintf("http://%s.%s:%d", serviceName, namespace, portNumber), nil
} }
// New creates Jenkins API client // New creates Jenkins API client