In the CloudBees CI on modern cloud platforms trust model, managed controller administrators are trusted, but build agents are not trusted.
Note: This information applies to CloudBees CI on modern cloud platforms 18.104.22.168 and later.
managed controllers can only manage build agents in another namespace so that they can’t affect the runtime of other controllers, but they can interfere with builds started by other controllers. Build agents can be scheduled only with service accounts that are defined in the other namespace.
If you install the Helm chart with the value
Agents.SeparateNamespace.Enabled=true, you can have:
One namespace with operations center and managed controllers
One namespace with all build agents
CloudBees recommends the following additional security considerations:
Enable Pod Security Policies on the cluster. It limits container privileges to avoid compromising the host they are running on.
Deny team members from having administrative rights to their managed controllers. This enables managed controllers to be used as a security boundary between teams.
Enable Network Policies. It controls network access between pods and namespaces to limit interactions to legal interactions.
Run any build agents that require Kubernetes privileges in a separate namespace.
Run any build agents that require container privileges in a separate node pool.