This content applies only to CloudBees CI on modern cloud platforms.
In the CloudBees CI on modern cloud platforms trust model, build agents are not trusted.
This information applies to CloudBees CI on modern cloud platforms 2.222.1.1 and later. |
Managed controllers can only manage build agents in another namespace so that they can’t affect the runtime of other controllers, but they can interfere with builds started by other controllers. Build agents can be scheduled only with service accounts that are defined in the other namespace.
For more information about configuring the necessary role and role binding for serviceaccount/jenkins
, refer to Provisioning agents in a separate Kubernetes cluster from a managed controller.
If you install the Helm chart with the value Agents.SeparateNamespace.Enabled=true
, you can have:
-
One namespace with operations center and managed controllers
-
One namespace with all build agents
CloudBees strongly recommends that you configure Pod Security Admission (PSA), which limits pod privileges to enforce security in the cluster. For most practical use cases, the baseline
profile is sufficient.
The PSS |
CloudBees recommends the following additional security considerations:
-
Deny team members from having administrative rights to their managed controllers. This enables managed controllers to be used as a security boundary between teams.
-
Enable Network Policies. It controls network access between pods and namespaces to limit interactions to legal interactions.
-
Run any build agents that require Kubernetes privileges in a separate namespace.
-
Run any build agents that require container privileges in a separate node pool.