open shift service account - unix1998/technical_notes GitHub Wiki

When using Jenkins for deploying to an OpenShift cluster,we generally need to provide Jenkins with the appropriate credentials to perform the necessary actions within the cluster. The specific role and permissions required depend on the tasks Jenkins will be performing.

1. Cluster Administrator: Granting Jenkins cluster administrator credentials would give it the highest level of access, allowing it to perform any action within the cluster. This is usually not recommended due to the potential security risks and over-permissioning.

2. Deployer: This role allows Jenkins to manage deployments within a specific project or namespace. It can create, update, and delete deployments but does not have the ability to manage all resources.

3. Builder: The builder role is typically used for building images and running build configurations. If Jenkins needs to perform build operations, this role might be required.

4. Default: The default role has basic permissions within a project but is usually too limited for deployment purposes.

5. Pipeline: The pipeline role is designed for CI/CD pipelines and usually has permissions to create and manage builds, deployments, and other related resources within a specific project.

• Least Privilege Principle: Always aim to grant the least amount of privilege necessary for Jenkins to perform its tasks. This reduces security risks.

• Project-Specific Roles: Assign Jenkins the deployer or pipeline role within the specific project or namespace it will be working in. This approach limits the scope of Jenkins' access and is generally sufficient for deployment tasks.

1. Create a Service Account: In OpenShift, create a service account specifically for Jenkins.

   oc create serviceaccount jenkins-deployer -n <project>

2. Assign Role to the Service Account: Assign the appropriate role to the service account.

   oc adm policy add-role-to-user edit system:serviceaccount:<project>:jenkins-deployer -n <project>

   For the pipeline role:

   oc adm policy add-role-to-user system:deployer system:serviceaccount:<project>:jenkins-deployer -n <project>
   oc adm policy add-role-to-user system:image-builder system:serviceaccount:<project>:jenkins-deployer -n <project>

3. Configure Jenkins Credentials: Add the OpenShift service account token to Jenkins credentials.

   • Retrieve the token:

     oc sa get-token jenkins-deployer -n <project>

   • Add the token to Jenkins:

     • Go to Jenkins Dashboard
     • Manage Jenkins → Manage Credentials → (select a domain) → Add Credentials
     • Choose "Secret text" and paste the token

4. Use Credentials in Jenkins Pipeline: Reference the credentials in your Jenkins pipeline scripts to authenticate and interact with the OpenShift cluster.

By following these steps, Jenkins will have the necessary permissions to deploy applications to the OpenShift cluster without over-privileging.