Trust model for CloudBees CI on modern cloud platforms

1 minute readSecurity

In the CloudBees CI on modern cloud platforms trust model, managed controller administrators are trusted, but build agents are not trusted.

This information applies to CloudBees CI on modern cloud platforms and later.

Managed controllers can only manage build agents in another namespace so that they can’t affect the runtime of other controllers, but they can interfere with builds started by other controllers. Build agents can be scheduled only with service accounts that are defined in the other namespace.

For more information about configuring the necessary role and role binding for serviceaccount/jenkins, refer to Provisioning agents in a separate Kubernetes cluster from a managed controller.

If you install the Helm chart with the value Agents.SeparateNamespace.Enabled=true, you can have:

  • One namespace with operations center and managed controllers

  • One namespace with all build agents

CloudBees recommends the following additional security considerations:

  • Enable Pod Security Policies on the cluster. It limits container privileges to avoid compromising the host they are running on.

  • Deny team members from having administrative rights to their managed controllers. This enables managed controllers to be used as a security boundary between teams.

  • Enable Network Policies. It controls network access between pods and namespaces to limit interactions to legal interactions.

  • Run any build agents that require Kubernetes privileges in a separate namespace.

  • Run any build agents that require container privileges in a separate node pool.