Introduction
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionPre-installation requirementsInstallVerify Docker imagesUninstall
IntroductionSystem requirementsVerify Docker imagesInstall operations centerInstall client controllersVerify build componentsVerify WAR files
IntroductionHA fundamentalsGet ready for HAInstall HA on modern cloud platformsInstall HA on traditional platformsHA considerationsHigh Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-3 environmentConfigure the Apache™ Ant plugin for FIPS complianceConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-3 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionCommon Pipeline termsPipeline project typesCloudBees proprietary features for Pipelines
IntroductionPipeline development utilitiesDetermine plugin compatibilityPipeline best practices
IntroductionPipeline prerequisitesCreate your first PipelineSelect an agent for your Pipeline jobCreate a Pipeline from SCMCreate a Pipeline in the UIUnderstand and implement Pipeline as Code
IntroductionConfigure advanced Scripted PipelineConfigure the build stageConfigure the deploy stageConfigure optional step argumentsConfigure the test stageCreate a JenkinsfileCustomize parametersHandle failuresString interpolationUse multiple agentsWork with the environmentReuse configuration files
IntroductionManage artifacts with CloudBees Fast Archiving pluginEnable artifact traceability with fingerprintingTrigger jobs with a simple webhookRestore filesVisualize the PipelineInsert checkpointsSecure PipelinesConfigure Pipelines with user-scoped credentialsEnforce standards with Pipeline PoliciesSpecify a matrix of one or more dimensionsConvert a Freestyle project to a Declarative PipelinePipeline builds and High Availability (active/active)
IntroductionRestart aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSet up a Pipeline Template CatalogDefine Pipeline Template CatalogsSet up a Pipeline TemplateParameter types in the template.yaml fileManage Multibranch Pipeline options in the template.yaml fileManage Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUse Declarative Pipeline syntaxUse Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitHubGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGet startedNavigate the operations center interfaceProvision managed controllers in multiple Kubernetes clustersProvision agents in a separate Kubernetes cluster from a managed controllerProvision a controller in a different namespaceProvision a controller in a different OpenShift project than the operations centerManage controllersManage controllers in specific Kubernetes namespacesMigrate an existing managed controller to High Availability (HA)Manage agentsManage SSH credentialsShared agentsShared configurationsShared cloud configurationTrigger restrictionsChange NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUse Kaniko with CloudBees CIUse Buildkit with CloudBees CIUsing self-signed certificates in CloudBees CI on KubernetesSidecar injector for self-signed certificates on OpenShiftAuto-scale nodes on EKSEnable auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAWS CLI pluginCloud Foundry CLI PluginIntegrate OpenShift CLICloudBees CI ServiceNow integrationCreate projects based on a GitHub repository structureUse GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications Plugin
IntroductionGet startedNavigate the operations center interfaceManage client controllersMigrate from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsManage SSH credentialsShared agentsShared configurationsShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsInbound agentsCloudBees CI ServiceNow integrationCreate projects based on a GitHub repository structureUse GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
Trust model
Pod Security Admission
Centrally manage security for controllers
CyberArk Credential Provider Plugin
CloudBees HashiCorp Vault Plugin
Enable advanced use cases: Cross-controller triggers and bulk operations
Restrict access and delegate administration with Role-Based Access Control
Example RBAC configurations
Create secure folders with Role-Based Access Control Auto Configurer
Restrict job triggers
Set up operations center-level access controls
Set up access controls on connected controllers
Test the SSH connection to an agent
Configure restricted credentials with the CloudBees Restricted Credentials plugin
Folders plugin
Folders Plus plugin
Inject secrets into builds
Manage build agents with the Nodes Plus plugin
Extended security settings
Enhanced credentials masking
Understand Beekeeper security warnings
Prevent unauthorized interaction between builds
Security recommendations
Use single sign-on (SSO) in the operations center
CloudBees CI integration with Microsoft Entra ID
Operations center specific permissions
Authentication mapping
Delegate administration
Data collection for the CloudBees Analytics Plugin
Modern DevOps external secrets management
Replace an expired certificate
List of URLs that need access
Block access to URL patterns using the CloudBees Request Filter Plugin
Serve resources from Jenkins
Verify Helm charts with a signature
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyBackup a Role-Based Access Control configurationRestore backup files manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes cluster resources using VeleroRun backups using cluster operations
IntroductionConfigure multiple client controllers with the Jenkins CLI toolConfigure an alias for the Jenkins CLI toolConfigure Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a client controllerSetting up a managed controllerSet up a managed controller using the CasC Bundle ServiceCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
Create an alternate plugin download site
CasC CLI commands
CasC HTTP API
Support policies

Folders Plus plugin

8 minute readSecurityAudit and compliance

The Folders Plus plugin provides additional capabilities not available in open source Folders, including the ability to:

  • Restrict the use of agents to specific folders

  • Move jobs (or subfolders) from one folder to another (or to or from the root of Jenkins)

  • Get additional health reports for jobs within a folder

  • Set custom icons on a folder

  • Define environment variables that will be passed to the builds of all jobs within a folder

  • Display selected jobs from subfolders in a higher-level view

  • Restrict which kinds of items may be created in a folder

Controlled agents

Folders Plus controlled agents can restrict the jobs that may execute on an agent.

By default, jobs may be assigned to any labeled agent. This can be a problem when specific agents contain secrets or are intentionally task-specific.

Consider the case of a Jenkins instance shared by an operations group and multiple developer groups. The operations group has specific credentials and tools that deploy the company website into production. The operations group has configured a dedicated agent with those credentials and tools. The agent is configured to only accept jobs assigned to that specific agent. However, without Folders Plus, a developer could configure a job to run on the operations agent and copy the credentials or the tools.

Folders Plus controlled agents allow the operations group to limit their task-specific agent to jobs from specific folders.

Configure controlled agents

The first step is to configure the agent to only accept jobs from within approved folders. Agents configured to only accept jobs from within approved folders will refuse to build jobs outside those folders.

Open the configure screen of the agent and select the Only accept builds from approved folders option.

At this point, the person with permissions to configure the folder needs to create a request for a controlled agent. They need to open the folder in Jenkins and select the Controlled Agents action.

This will display the list of controlled agents assigned to the folder. We want to add a new controlled agent so select the Create request action. Confirm the request creation and the Request Key should be generated and displayed. The request key needs to be given to the person with permissions to configure the controlled agent.

At this point, the person with permissions to configure the agent needs to approve the request. They need to select the Approved Folders action from the agent and select the Controlled Agents action.

The Approved Folders screen allows for multiple tokens to be issued, a token can be used to sign multiple requests, and it is left to the administrator of the agent to decide whether they want to create a new token or use an existing token.

Creating a new token for each agent has the advantage that each approved folder can be revoked individually. Conversely, re-using an existing token allows for bulk revocation of folders.

If there are no existing tokens for approving controlled agent requests, you will need to create a new token by selecting the Create token action and confirming the creation otherwise the authorize button on any existing token can be used to authorize a request using that token. Either route should display the Authorize Request screen.

Enter the Request Key and press the Authorize button. The Request Secret should be generated and displayed. The request key needs to be given to the person with permissions to configure the folder.

At this point the person with permissions to configure the folder needs to return to the request screen and enter the Request Secret provided by the person responsible for configuring the agent and select Authorize.

Once the controlled agent request has been completed, the controlled agent should appear in the list of agents and the folder should appear on the agent.

If the person viewing the agent does not have permissions to view the folder, they will not see the folder name when viewing the agent’s status screen or list of approved folders. In this case an additional indicator will be provided detailing the number of "hidden" folders in addition to those that the user is permitted to see.

Troubleshooting

Issues with third-party plugins

To enforce that only jobs belonging to approved folders can be built on a controlled agent it is necessary to identify the job that owns any build submitted to the build queue of Jenkins. Once the job has been identified, the folder hierarchy can be traversed to see if any parent folder is on the list of approved folders.

Once of the extension points that Jenkins provides is the ability to define custom build types that can be submitted to the build queue. When a plugin author is developing such a plugin, they should ensure that the owning build type hierarchy eventually resolves to the build job to which the task belongs whenever a custom build type is associated with a build job.

In the event that a third-party plugin author has not correctly ensured that their custom build type is correctly associated with its originating job, the controlled agents functionality will be unable to identify the originating job. It consequently will refuse to let the job build on the controlled agent.

If it is critical to enable the third-party plugin to build on the agent, and the administrator accepts the risk of allowing other custom build types to run on the controlled agent, there is an advanced option that can be enabled on a per-agent basis.

Issues with builds being blocked forever

There are multiple reasons why Jenkins can block a build from executing. The controlled agent functionality adds an additional reason; however, it should be noted that when Jenkins evaluates a job for building, once it has identified a reason why the job cannot be started, it does not evaluate any of the other reasons. Therefore, when Jenkins reports the reason as to why the build is blocked, it will only report the first reason it encountered. In such cases, the user may not realize that the reason for the build being blocked is that it is not within an approved folder.

Jenkins does not re-evaluate whether builds are still blocked until an event causes a probability of jobs being executed. Such events include, but are not limited to

  • A job being added to the build queue

  • A job being removed from the build queue

  • A job completing execution

  • A node coming on-line

  • A node going off-line

If a job is submitted to the build queue and is blocked because it is not in an approved folder, it will not be re-considered for execution until one of the re-evaluation triggers occurs. Therefore, even if the folder containing the job is added to the list of approved folders, existing blocked builds will not become unblocked until a queue re-evaluation trigger is fired.

Other features

There are other smaller features available in Folders Plus.

Move

You can use the Move action to move a job, or entire subfolder, from one location to another. The configuration, build records, and so on will be physically relocated on disk.

Beware that many kinds of configuration in Jenkins refer to jobs by their relative or full path. If you move a job to a different folder, you may also need to update the configuration referring to that job.

Health reports

The base Folders plugin has a simple way of displaying a health report next to a folder in the dashboard: it simply indicates the worst status (such as failing) of any job in the folder. Folders Plus offers some alternate metrics:

  • the average health of jobs within the folder

  • whether some jobs are disabled

  • counts of jobs with different statuses, such as stable or unstable

Icons

Normally folders all have a fixed "folder" icon. Folders Plus allows you to customize this with other kinds of icons:

  • a blue, yellow, or red ball corresponding to the most broken job in the folder

  • a variety of icons packaged with Jenkins, such as that for a "package"

  • any icon you like, if you provide a URL

Environment variables

You may configure an Environment variables property on a folder giving a list of variable names and values. These will be accessible as environment variables during builds. This is a good way to define common configuration to be used by a lot of jobs, such as SCM repository locations.

Newer versions of Jenkins also allow these variables to be used during SCM polling or other contexts outside of builds.

Note: Folder environment variables will not override global environment variables (set at Manage Jenkins  Configure System  Environment variables), but Folder environment variables will override any parent Folder environment variables.

List view column

The Pull information from nested job list view column may be selected when configuring a view on a folder or at top level in Jenkins. This column allows you to display some aspect of a job (available as another kind of list view column) for every subfolder being displayed.

For example, you might have a dozen folders corresponding to different products, each containing several jobs with predictable names: build, release, and so on. You can create a view at the Jenkins root which contains all these folders as entries. Then add this kind of list view column, specifying the job name build and the standard Status list view column. Now your custom view will display all the product folders, and for each will show a blue, yellow, or red ball corresponding to the current status of the build job in that folder.

Restrict children

The Folders Plus plugin allows you to specify the types of jobs that a particular folder allows. To choose the specific job types that the folder can allow, enable Restrict the kind of children in this folder. For example, let’s make Pipeline the job type available and then add a new one.

  1. Navigate to your Jenkins dashboard.

  2. Select New Item to create a new folder called FolderSample.

    1. Select Folder as the item type.

    2. Select OK. The Configure screen displays.

    3. Select Restrict the kind of children in this folder.

    4. Select the Pipeline option.

    5. Select Save and return to the main dashboard.

      Restrict the kind of children in this folder - pipeline option
      Figure 1. Restrict the kind of children in this folder - Pipeline option

  3. Select New Item to create a new folder template called TeamFolder.

    1. Select Folder Template as the item type.

    2. Select OK. The Configure screen displays.

      1. Enter the following in the Description field: Create a Folder with restricted job types list.

      2. Configure remaining fields to your specific needs.

      3. Select Save and return to the main dashboard.

  4. Select FolderSample configure from list.

    1. Select Restrict the kind of children in this folder.

    2. Select the TeamFolder option.

    3. Select Save and return to the main dashboard.

      Restrict the kind of children in this folder - Team Folder option
      Figure 2. Restrict the kind of children in this folder - TeamFolder option

  5. Select TeamFolder configure from list.

    1. Scroll down to the Transformer section.

      1. Under Load Prototype, enter FolderSample in the Job field.

      2. Select Load.

      3. Select Save and return to the main dashboard.

  6. Select FolderSample from the list.

    1. Select Create a job, the New Item screen displays.

    2. Enter TeamARootFolder as the item name.

    3. Select the Team Folder option for the item type.

    4. Select OK.

      TeamARootFolder
      Figure 3. New Item - TeamARootFolder

      An error message may appear requesting the Transformer script be approved. Navigate back to the previous Configure page and select the Approve script button in the Transformer section.

      Script approval message

    5. Return to FolderSample page.

    6. Repeat Create a job steps.

    7. Select Save on the new folder page displayed.

  7. Continue creating folders or subfolders as the "TeamFolder" type, this ensures all folders underneath are restricted to the Pipeline and TeamFolder items only.

    FolderSample with folders
    Figure 4. FolderSample with folders
    Groups can also be assigned access to these folders.

For more information, refer to Folders plugin, Folders Template, or Restrict access and delegate administration with Role-Based Access Control.

Folders plugin
Inject secrets into builds