From 431484882fda7529b7c0cfdebc014c52e1f666ea Mon Sep 17 00:00:00 2001 From: Jakub Al-Khalili Date: Mon, 15 Jul 2019 15:34:23 +0200 Subject: [PATCH] #52 Add notice about rbac --- docs/security.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/docs/security.md b/docs/security.md index f5a28889..7c663003 100644 --- a/docs/security.md +++ b/docs/security.md @@ -34,6 +34,53 @@ Kubernetes API permissions are limited by the following roles: - [jenkins-operator role](../deploy/role.yaml) - [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go) +Since **jenkins-operator** must be able to grant permission for its' deployed Jenkins masters to spawn pods (the `Jenkins Master role` above), +the operator itself requires permission to create RBAC resources (the `jenkins-operator role` above). +Deployed this way, any subject which may create a Pod (including a Jenkins job) may +assume the `jenkins-operator` role by using its' ServiceAccount, create RBAC rules, and thus escape its granted permissions. +Any namespace to which the `jenkins-operator` is deployed must be considered to implicitly grant all +possible permissions to any subject which can create a Pod in that namespace. + +To mitigate this issue **jenkins-operator** should be deployed in one namespace and the Jenkins CR should be created in separate namespace. +To achieve it change watch namespace in https://github.com/jenkinsci/kubernetes-operator/blob/master/deploy/operator.yaml#L25 + +## Setup Jenkins Operator and Jenkins in separated namespaces + +You need to create two namespaces, for example we'll call them **jenkins** for Jenkins and **jenkins-operator** for Jenkins Operator. +```bash +$ kubectl create ns jenkins-operator +$ kubectl create ns jenkins +``` + +Next, apply the RBAC manifests +```bash +$ kubectl -n jenkins apply -f deploy/role.yaml +$ kubectl -n jenkins -n jenkins-operator apply -f deploy/service_account.yaml +$ kubectl -n jenkins -n jenkins apply -f deploy/role_binding.yaml +``` + +Then, you must create operator pod by: +```bash +$ kubectl -n jenkins -n jenkins-operator apply -f deploy/operator.yaml +``` + +To combine pods, you must modify RoleBindings. You can use this example YAML to bind: +```yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: jenkins-operator + namespace: jenkins +subjects: +- kind: ServiceAccount + name: jenkins-operator + namespace: jenkins-operator +roleRef: + kind: Role + name: jenkins-operator + apiGroup: rbac.authorization.k8s.io + ``` + ## Report a Security Vulnerability If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues).