Comments (8)
bparees
commented on August 18, 2024
you can also use "sh 'oc whoami -t'", this isn't something the plugin can protect you from.
from jenkins-client-plugin.
elconas
commented on August 18, 2024
Well the token is not stored in the .kube/config by the plugin, but explicitly provided by --roken=xxx or is it ?
Assuming the Jenkins OS user has no valid token (which it should), then I am pretty save
from jenkins-client-plugin.
bparees
commented on August 18, 2024
The jenkins container has an openshift service account associated with it. That is the token you are seeing when you run oc whoami -t (unless you have setup other credentials).
The assumption is anyone who has permission to create/edit jobs on your jenkins server, already has meaningful permissions within your cluster. (after all, even if they can't get the token, you've allowed them to run oc operations with the token, that's the entire role of the openshift client plugin).
from jenkins-client-plugin.
elconas
commented on August 18, 2024
Another candidate is
openshift.raw("oc config view")
At least the known tokens should scrabled. Right now it is printed in plain text
from jenkins-client-plugin.
bparees
commented on August 18, 2024
again, no different from sh 'oc config view'.
from jenkins-client-plugin.
elconas
commented on August 18, 2024
Ok. So if this is intended "by design" it should be properly documented (e.g. global credentials at the cluster level, meaning everyone peforming git commits in any repo built ona Jenkins Server can steal jenkins credentials). It is avious, but more on a "second thought" :)
from jenkins-client-plugin.
bparees
commented on August 18, 2024
meaning everyone peforming git commits in any repo built ona Jenkins Server can steal jenkins credentials
it does not mean that. that is only the case if those users have permission to view your jenkins job logs and your jenkins job for some reason runs commands that print out the token.
Neither of those are prerequisites to having a CI system that builds/tests git commits by random users.
from jenkins-client-plugin.
bparees
commented on August 18, 2024
(and nothing about this is unique to the jenkins client plugin or even jenkins on openshift. If you have a jenkins job that runs "cat /root/.ssh/id_rsa" you're in the same boat. don't do that, if you do do it, restrict who can see the job log, and don't let untrusted users create/edit jenkins jobs).
from jenkins-client-plugin.
Related Issues (20)
- Question: What extra steps should i follow if my OCP4 cluster is using a proxy ? HOT 4
- exportable did not work on newer openshift clusters HOT 4
- Stream stdout to console for passthrough operations HOT 5
- Plugin incompatible with new-style clouds configuration. HOT 5
- Error after Warning HOT 7
- Can't get api token from com.openshift.jenkins.plugnis.OpenShiftTokenCredentials in pipeline HOT 5
- List of DSL methods required HOT 3
- Error to parse POM's HOT 4
- 'restart' subcommand is missing for rollout()
- Support current version of oc tool HOT 4
- Plugin installation broke credentials used by other plugins HOT 12
- Argument was classified as an image, image~source, or loaded template reference but should be git repo HOT 7
- Leftover oc processes after wait() calls HOT 7
- Plugin doesn't detect capabilities (--ignore-not-found) from recent OC versions HOT 8
- No credentials shown in cluster configuration dropdown HOT 6
- Job fails if there are spaces in the project name, using raw command HOT 9
- Error flags cannot be placed before plugin name on external Jenkins declarative pipeline HOT 2
- Unable to retrieve object names using kubernetes-plugin sidecar container HOT 5
- java.nio.file.NoSuchFileException after upgrade to 1.0.37 HOT 5
- Certificate options not escaped HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jenkins-client-plugin.