Resource separation with Namespaces

This page describes how to enhance the security of running Carthago Operator for Jenkins and Jenkins on Kubernetes by deploying Operator and Jenkins instances in their own namespaces.
In the paid version, one operator instance is capable of watching multiple namespaces and Jenkins instances. It’s recommended to have separate namespaces for each of the Jenkins instances.

Prerequisites

In this example, we will be deploying Carthago Operator for Jenkins to the carthago-op-jenkins namespace, while the Jenkins instance will be run in the jenkins namespace.

To create these namespaces run:

$ kubectl create ns carthago-op-jenkins
$ kubectl create ns jenkins

CRDs (Custom Resource Definitions) should be already deployed to the cluster. You should have access to operator.yaml with deployment of the Carthago Operator for Jenkins or be able to modify the existing deployment (that is deployed to the carthago-op-jenkins namespace).

Operator namespace

If you don’t have an existing ServiceAccount for the Carthago Operator for Jenkins, create one:

service_account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: carthago-operator
$ kubectl -n carthago-op-jenkins apply -f service_account.yaml

Add a Role for the Operator in the carthago-op-jenkins namespace, see Roles for YAML.

Add a RoleBinding for the Operator’s ServiceAccount:

role_binding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: operator-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: operator-role
subjects:
- kind: ServiceAccount
  name: carthago-operator
$ kubectl -n carthago-op-jenkins apply -f role_binding.yaml

Jenkins namespace

Add a Role for the Operator in the jenkins namespace, see Roles for YAML. It’s the same role as in carthago-op-jenkins namespace.

Add a RoleBinding for the Operator’s ServiceAccount:

role_binding_jenkins.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: operator-rolebinding
  namespace: jenkins
subjects:
- kind: ServiceAccount
  name: carthago-operator
  namespace: carthago-op-jenkins
roleRef:
  kind: Role
  name: operator-role
  apiGroup: rbac.authorization.k8s.io
$ kubectl -n jenkins apply -f role_binding_jenkins.yaml

Update the Operator deployment

Edit the WATCH_NAMESPACE environment variable in the Operator deployment (also make sure serviceAccountName is set correctly):

    spec:
      containers:
        - command:
            - /manager
          (...)
          env:
            - name: WATCH_NAMESPACE
              value: jenkins
      serviceAccountName: carthago-operator

In the paid version, in order to configure Operator to watch for changes in multiple namespaces, all of them, separated by comma, should be put in the WATCH_NAMESPACE environment variable.

For example:

    spec:
      containers:
        - command:
            - /manager
          (...)
          env:
            - name: WATCH_NAMESPACE
              value: jenkins-one,jenkins-two,jenkins-three
      serviceAccountName: carthago-operator

Don’t forget to apply your changes:

$ kubectl -n carthago-op-jenkins apply -f operator.yaml

Now the Carthago Operator for Jenkins will run in its own namespace (carthago-op-jenkins), watch for CRs (Custom Resources) in a different namespace or namespaces.