Say I have a Jenkins installations with multi-branch pipelines which executes on nodes which are implemented as ECS Tasks in AWS. The nodes have specific IAM roles which allow to do certain things like access a certain secret. The coded pipelines choose the node dynamically by label. So far so good.
In this setup, Jenkins is connected through LDAP to OpenLDAP and there are groups set up. Permissions are handled through the “role based strategy”
For the blessed branch of the pipelines there are code reviews but in theory any user can create a branch and use the coded pipeline to retrieve the secrets which the node is allowed to read.
In this situation I though the correct way to enforce security is to prevent certain groups to run jobs on certain nodes.
How can I restrict the usage of a certain node for a certain group of users by label ?
What I tried so far
Since I believe the role based strategy can assign group permissions based on the node name and the ECS nodes get their names based on
<cluster name>-<random string> I tried to
- create a cluster with a specific name for the nodes I want to be able to restrict
- created two groups eg. standard and privileged
- globally deny “build” permission for standard group
- allow “build” permission for standard group on nodes named like
<non-privileged cluster name>-.*|master|Jenkins
The problem with this is: it didn’t work for master (some non-privileged pipelines need to perform tasks on the master). I got error messages like
'XXXXXXXX' lacks permission to run on 'Jenkins'