jenkins: RBAC for K8s Credentials Provider

The [Kubernetes Credentials Provider][0] plugin for Jenkins allows Jenkins to expose Kubernetes Secret resources as Jenkins Credentials. Jobs can use them like normal Jenkins credentials, e.g. using `withCredentials`, `sshagent`, etc. The only drawback is that every credential exposed this way is available to every job, at least until [PR #40][1] is merged. Fortunately, jobs managed by this Jenkins instance are all trusted; no anonymous pull requests are possible, so the risk is mitigated. [0]: https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/ [1]: https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/40
2023-11-10 15:27:38 -06:00
parent 29150f54bb
commit 12d3c32855
1 changed files with 30 additions and 0 deletions
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -43,6 +43,22 @@ spec:
    requests:
      storage: 20Gi

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -59,6 +75,20 @@ rules:
  verbs:
  - '*'

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jenkins
+  namespace: jenkins
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+- kind: ServiceAccount
+  name: jenkins
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding