Introduction
Architecture for modern cloud platforms
Architecture for traditional platforms
Train your team
Onboarding for modern cloud platforms
Onboarding for traditional platforms
Modern cloud platforms
IntroductionValidating Kubernetes requirements
Traditional platforms
AKS installation
IntroductionPre-installation requirementsInstallingUninstalling
AWS ECR installation
Amazon EKS installation
IntroductionSystem requirementsInstallingUninstalling
GKE installation
IntroductionPre-installation requirementsInstallingUninstalling
Kubernetes installation
IntroductionPre-installation requirementsInstallingUninstalling
OpenShift installation
IntroductionPre-installation requirementsInstallingUninstalling
TKGI installation
IntroductionPre-installation requirementsInstallingUninstalling
Traditional platforms installation
IntroductionSystem requirementsInstalling Operations CenterInstalling Client MastersInstalling build agentsVerifying build componentsHigh Availability
Troubleshooting installation
IntroductionHigh Availability installation troubleshooting
Modern cloud platforms upgrade
Traditional platforms upgrade
Modern cloud platforms
IntroductionUsing WebSockets to connect masters to operations centerConnecting inbound agentsLaunching inbound agentsSetting up HTTPS for GKE
Traditional platforms
IntroductionConnecting a Client Master to operations centerInstalling build agents
Modern cloud platforms
IntroductionGetting startedNavigating the operations centerUsing CloudBees CI TeamsDeploying on multiple Kubernetes clustersManaging MastersManaged Masters in specific Kubernetes namespacesAdding External Client MastersManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startCross Team CollaborationExternal HTTP EndpointsMove/Copy/PromoteCluster-wide copy artifactsCluster operationsCluster-wide job triggersJava web start agentsUsing KanikoSidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKEAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationUsing wiki markup languages in descriptionsBest practices when building container images
Traditional platforms
IntroductionGetting startedNavigating the Operations CenterAdding External Client MastersManaging Client MastersManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startCross Team CollaborationExternal HTTP EndpointsMove/Copy/PromoteCluster-wide copy artifactsCluster operationsCluster-wide job triggersJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationUsing wiki markup languages in descriptions
Modern cloud platforms
IntroductionTrust modelCentrally managing security for mastersCyberark Credential Provider PluginEnabling advanced use cases: cross master triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting jobs to run as a specific user using Role-Based Access Control and Authorize Project pluginSetting up operations center access controlsSetting up access controls on connected mastersFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginExtended security settingsEnhanced credentials maskingUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsUsing single sign-on (SSO)operations center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessReplacing an expired certificateServing resources from Jenkins
Traditional platforms
IntroductionConfiguring network requirementsCentrally managing security for mastersCyberark Credential Provider PluginEnabling advanced use cases: cross-master triggers and bulk operationsRestricting access and delegating administration with Role-Based Access ControlCreating secure folders with Role-Based Access Control Auto ConfigurerRestricting jobs to run as a specific user using Role-Based Access Control and Authorize Project pluginFolders PlusInjecting secrets into buildsManaging build agents with Nodes Plus pluginUnderstanding Beekeeper security warningsPreventing unauthorized interaction between buildsSecurity recommendationsExtended security settingsUsing single sign-on (SSO)Operations Center specific permissionsAuthentication mappingExample configurationsDelegating administrationData collection for the CloudBees Analytics PluginExternal secrets managementList of URLs that need accessServing resources from Jenkins
Generating a support bundle
Backup and restore
Jenkins CLI tool
Plugins
Pipelines
Creating metric-based alerts
Elasticsearch Reporter
Enable GC logging of Masters
Modern cloud platforms
IntroductionExample implementation with Datadog
CasC for controllers
IntroductionGetting startedCreating a bundleAdding a bundle to operations centerUpdating a bundleConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating foldersConfiguring RBACDetermining plugin compatibilityCasC HTTP API endpointsCasC CLI commandsAdvanced topicsTroubleshooting
SCM Integration
IntroductionEnabling actionable build notifications in GitHub and BitbucketConfiguring CloudBees SCM Reporting notifications
Slack Integration
IntroductionSetting up actionable build notifications in SlackConfiguring CloudBees Slack Integration usersConfiguring CloudBees Slack Integration notifications
Microsoft Teams Integration
IntroductionSetting up actionable build notifications in Microsoft TeamsConfiguring CloudBees Microsoft Teams Integration usersConfiguring CloudBees Microsoft Teams Integration notifications
Azure Kubernetes Service (AKS)
AWS
EKS
GKE
Kubernetes
TKGI
CloudBees Jenkins JVM troubleshooting
Performance decision tree for troubleshooting
Troubleshooting memory leaks
Troubleshooting file and thread leaks
Kubernetes on AWS EKS
Azure Kubernetes Service (AKS)
Kubernetes on GKE
Kubernetes on AWS
Kubernetes on-premise and OpenShift
Kubernetes on VMware Tanzu Kubernetes Grid Integrated Edition
Traditional platforms
Support policies
Feature comparison

Configuring RBAC with CasC

4 minute readScalabilityAutomation

You can configure global role-based access control (RBAC) by adding the rbac.yaml file to the configuration bundle. Additionally, the authorizationStrategy attribute must be added to the jenkins.yaml file.

Prerequisites

The following software and plugins must be installed to use RBAC with CasC:

Required setup

You can define groups and roles at the controller-level using the Configuration as Code (CasC) for Controllers rbac.yaml file.

  • Controller authorization strategy: To apply RBAC settings (rbac.yaml) to a controller using CasC, the controller’s authorization strategy must not be inherited from operations center. For more information, see Configuring the controller authorization strategy.

  • User management: Users need to be created in your CloudBees CI system either by an identity provider (like LDAP) or manually. The examples below assume the users exist.

  • Item management: To apply RBAC groups and/or roles to items, the CasC configuration bundle must include an items.yaml file with the defined items. For more information, refer to Creating items with CasC for controllers.

Configuring the controller authorization strategy

To apply RBAC settings (rbac.yaml) to an individual controller using Configuration as Code (CasC) for Controllers, the controller’s authorization strategy must not be inherited from the operations center.

If groups and roles are defined in the operations center or if RBAC is only used with the items.yaml file, you do not need to opt out of inheriting the operations center’s authorization strategy.

To configure the controller authorization strategy:

  1. Ensure you are signed in to the operations center as a user with the Administer permission.

  2. From the operations center dashboard, in the left pane, select Manage Jenkins.

  3. Select Configure Global Security.

  4. Scroll down to Client controller security and select Allow client controllers to opt-out.

  5. Select Save.

    For more information on how to customize the authorization strategy for an individual controller, refer to Configuring SSO in operations center.

  6. From the operations center dashboard, select the down arrow to the right of your controller’s name, and then select Configure.

    Controller dropdown menu
    Figure 1. Controller dropdown menu

  7. Scroll down to Security Setting Enforcement and select either Enforce Authentication only or Opt out of all security enforcement.

    For more information on how to customize the authorization strategy for an individual controller, refer to Configuring options for individual controllers.

Exporting RBAC configurations

You can export role-based access control (RBAC) configurations from an existing controller. For more information, refer to Exporting a CasC configuration.

The exported file should be used as a starting point, as it may require modifications and adjustments to make it production-ready.

Example CasC configuration bundle with RBAC

For this example, we will create four groups:

  1. Administer: Full permissions on the controller.

  2. Manager: Can manage the controller with the Overall.MANAGE permission.

  3. Developer: Can create pipelines/jobs and use them.

  4. Browser: Read only users.

bundle.yaml

apiVersion: "1"
id: "0-casc-with-rbac"
description: "Bundle demo with rbac"
version: "1"
plugins:
  - "plugins.yaml"
jcasc:
  - "jenkins.yaml"
catalog:
  - "plugin-catalog.yaml"
rbac:
  - "rbac.yaml"

plugins.yaml

plugins:
- {id: configuration-as-code}
- {id: cloudbees-casc-api}
- {id: manage-permission}
- {id: nectar-rbac}

plugin-catalog.yaml

type: "plugin-catalog"
version: "1"
name: "cloudbees-assurance-program-extensions"
displayName: "Extensions to the CloudBees Assurance Program (CAP)"
configurations:
- description: "Extensions to the CAP"
  includePlugins:
    manage-permission: (1)
      version: 1.0.1 (2)
1Add the manage-permission plugin to enable the Overall/Manage permission. This plugin is not required to configure RBAC with CasC.
2Replace 1.0.1 with most recent version.

jenkins.yaml

jenkins:
  systemMessage: "Configured automatically by Configuration as Code - with RBAC \n\n"
  authorizationStrategy: "cloudBeesRoleBasedAccessControl" (1)
1Mandatory to use CloudBees RBAC configured with CasC.

rbac.yaml

removeStrategy:
  rbac: "SYNC" (1)
groups:
- name: Administrators
  members:
    users:
    - admin-user
  roles:
  - name: administer-role
    grantedAt: current (2)
    propagates: 'false'
- name: Managers
  members:
    users:
    - manager-user
  roles: (3)
  - name: manager-role
    grantedAt: current
- name: Developers
  members:
    users:
    - dev-user
    internal_groups: (4)
    - managers
    external_groups:
    - ldap-developers
  roles: (5)
  - name: developer-role
    grantedAt: child
- name: Browsers
  members:
    users:
    - read-user
    internal_groups:
    - Administrators
    - Managers
    - Developers
  roles: (6) (7)
  - name: browser-role
roles:
- name: administer-role
  filterable: 'false'
  permissions:
  - hudson.model.Hudson.Administer
- name: manager-role
  filterable: 'false'
  permissions:
  - hudson.model.Hudson.Manage
  - hudson.model.Hudson.Read
- name: developer-role
  filterable: 'true'
  permissions: (8)
  - hudson.model.Hudson.Read
  - hudson.model.View.Delete
  - hudson.model.Item.Promote
  - hudson.model.View.Configure
  - hudson.model.Item.Configure
  - hudson.model.Item.Cancel
  - hudson.model.Item.Read
  - hudson.model.Item.Build
  - hudson.model.Item.Discover
  - hudson.model.Hudson.Read
  - hudson.model.Item.Create
  - hudson.model.View.Read
  - hudson.model.View.Create
  - hudson.model.Item.Delete
- name: browser-role
  filterable: 'true'
  permissions:
  - hudson.model.Hudson.Read
- name: authenticated (9)
  filterable: false
  permissions:
  - hudson.model.Hudson.Read
- name: anonymous (10)
  filterable: 'false'
1For security reasons, SYNC is here to remove groups/roles from CloudBees Continuous Integration when they are removed from this file.
2Other options that could be used here include: "child" or "grandchild".
3If propagates is not included, the default value is "true".
4Team managers are also members of the developer group.
5If propagates is not included, the default value is "true".
6If grantedAt is not included, the default value is "current".
7If propagates is not included, the default value is "true".
8The list of permissions (Permission.id) to grant this role.
9Overriding RBAC embedded role to lower the permissions.
10Overriding RBAC embedded role to lower the permissions. If there isn’t list of permissions included, the role has no permissions.
Creating folders
Determining plugin compatibility