public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

#52 Add notice about rbac

This commit is contained in:
Jakub Al-Khalili 2019-07-15 15:34:23 +02:00
parent 0fed26b733
commit 431484882f
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/security.md
View File

@ -34,6 +34,53 @@ Kubernetes API permissions are limited by the following roles:
- [jenkins-operator role](../deploy/role.yaml) - [jenkins-operator role](../deploy/role.yaml)
- [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go) - [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go)
Since **jenkins-operator** must be able to grant permission for its' deployed Jenkins masters to spawn pods (the `Jenkins Master role` above),
the operator itself requires permission to create RBAC resources (the `jenkins-operator role` above).
Deployed this way, any subject which may create a Pod (including a Jenkins job) may
assume the `jenkins-operator` role by using its' ServiceAccount, create RBAC rules, and thus escape its granted permissions.
Any namespace to which the `jenkins-operator` is deployed must be considered to implicitly grant all
possible permissions to any subject which can create a Pod in that namespace.
To mitigate this issue **jenkins-operator** should be deployed in one namespace and the Jenkins CR should be created in separate namespace.
To achieve it change watch namespace in https://github.com/jenkinsci/kubernetes-operator/blob/master/deploy/operator.yaml#L25
## Setup Jenkins Operator and Jenkins in separated namespaces
You need to create two namespaces, for example we'll call them **jenkins** for Jenkins and **jenkins-operator** for Jenkins Operator.
```bash
$ kubectl create ns jenkins-operator
$ kubectl create ns jenkins
```
Next, apply the RBAC manifests
```bash
$ kubectl -n jenkins apply -f deploy/role.yaml
$ kubectl -n jenkins -n jenkins-operator apply -f deploy/service_account.yaml
$ kubectl -n jenkins -n jenkins apply -f deploy/role_binding.yaml
```
Then, you must create operator pod by:
```bash
$ kubectl -n jenkins -n jenkins-operator apply -f deploy/operator.yaml
```
To combine pods, you must modify RoleBindings. You can use this example YAML to bind:
```yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
namespace: jenkins
subjects:
- kind: ServiceAccount
name: jenkins-operator
namespace: jenkins-operator
roleRef:
kind: Role
name: jenkins-operator
apiGroup: rbac.authorization.k8s.io
```
## Report a Security Vulnerability ## Report a Security Vulnerability
If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues). If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues).