In the CloudBees CI on modern cloud platforms trust model, managed controller administrators are trusted, but build agents are not trusted.
This information applies to CloudBees CI on modern cloud platforms 2.222.1.1 and later. |
Managed controllers can only manage build agents in another namespace so that they can’t affect the runtime of other controllers, but they can interfere with builds started by other controllers. Build agents can be scheduled only with service accounts that are defined in the other namespace.
For more information about configuring the necessary role and role binding for serviceaccount/jenkins
, refer to Provisioning agents in a separate Kubernetes cluster from a managed controller.
If you install the Helm chart with the value Agents.SeparateNamespace.Enabled=true
, you can have:
-
One namespace with operations center and managed controllers
-
One namespace with all build agents
CloudBees recommends the following additional security considerations:
-
Configure Pod Security Admission, which limits pod privileges to enforce security in your cluster.
-
Deny team members from having administrative rights to their managed controllers. This enables managed controllers to be used as a security boundary between teams.
-
Enable Network Policies. It controls network access between pods and namespaces to limit interactions to legal interactions.
-
Run any build agents that require Kubernetes privileges in a separate namespace.
-
Run any build agents that require container privileges in a separate node pool.