Resource separation with Namespaces
This page describes how to enhance the security of running Carthago Operator for Jenkins and Jenkins on Kubernetes by deploying Operator and Jenkins instances in their own namespaces.
In the paid version, one operator instance is capable of watching multiple namespaces and Jenkins instances. It’s recommended to have separate namespaces for each of the Jenkins instances.
In this example, we will be deploying Carthago Operator for Jenkins to the carthago-op-jenkins namespace, while the Jenkins instance will be run in the jenkins namespace.
To create these namespaces run:
$ kubectl create ns carthago-op-jenkins
$ kubectl create ns jenkins
CRDs (Custom Resource Definitions) should be already deployed to the cluster. You should have access to operator.yaml
with deployment of the
Carthago Operator for Jenkins or be able to modify the existing deployment (that is deployed to the carthago-op-jenkins
namespace).
If you don’t have an existing ServiceAccount for the Carthago Operator for Jenkins, create one:
service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: carthago-operator
$ kubectl -n carthago-op-jenkins apply -f service_account.yaml
Add a Role for the Operator in the carthago-op-jenkins namespace, see Roles for YAML.
Add a RoleBinding for the Operator’s ServiceAccount:
role_binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: operator-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: operator-role
subjects:
- kind: ServiceAccount
name: carthago-operator
$ kubectl -n carthago-op-jenkins apply -f role_binding.yaml
Add a Role for the Operator in the jenkins namespace, see Roles for YAML. It’s the same role as in carthago-op-jenkins namespace.
Add a RoleBinding for the Operator’s ServiceAccount:
role_binding_jenkins.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: operator-rolebinding
namespace: jenkins
subjects:
- kind: ServiceAccount
name: carthago-operator
namespace: carthago-op-jenkins
roleRef:
kind: Role
name: operator-role
apiGroup: rbac.authorization.k8s.io
$ kubectl -n jenkins apply -f role_binding_jenkins.yaml
Edit the WATCH_NAMESPACE environment variable in the Operator deployment (also make sure serviceAccountName is set correctly):
spec:
containers:
- command:
- /manager
(...)
env:
- name: WATCH_NAMESPACE
value: jenkins
serviceAccountName: carthago-operator
In the paid version, in order to configure Operator to watch for changes in multiple namespaces, all of them, separated by comma, should be put in the WATCH_NAMESPACE environment variable.
For example:
spec: containers: - command: - /manager (...) env: - name: WATCH_NAMESPACE value: jenkins-one,jenkins-two,jenkins-three serviceAccountName: carthago-operator
Don’t forget to apply your changes:
$ kubectl -n carthago-op-jenkins apply -f operator.yaml
Now the Carthago Operator for Jenkins will run in its own namespace (carthago-op-jenkins), watch for CRs (Custom Resources) in a different namespace or namespaces.