devdattakulkarni
commented
2 years ago +1 From multi-tenancy perspective also this is an important requirement - that the Operator is able to support creating Jenkins instances in different namespaces.
Open dee-kryvenko opened 2 years ago
devdattakulkarni
commented
2 years ago +1 From multi-tenancy perspective also this is an important requirement - that the Operator is able to support creating Jenkins instances in different namespaces.
thecooldrop
commented
2 years ago Hi @dee-kryvenko, could you provide more details as to why this is not possible? I am unable to come to the same conclusion as you
dee-kryvenko
commented
2 years ago @thecooldrop because https://github.com/jenkinsci/kubernetes-operator/blob/v0.7.0/pkg/configuration/base/resources/base_configuration_configmap.go#L207 is clearly using jenkins.ObjectMeta.Namespace without any ability for the user to override it.
dashashutosh24
commented
1 year ago I was able to resolve this by creating a copy of the role and rolebinding from the namespace in which jenkins master resides in the namespace where I want the slave pods to run. In the rolebinding, I granted the master service account in the master namespace access to the role in the slave agent namespace.
brokenpip3
commented
1 year ago I was able to resolve this by creating a copy of the role and rolebinding from the namespace in which jenkins master resides in the namespace where I want the slave pods to run. In the rolebinding, I granted the master service account in the master namespace access to the role in the slave agent namespace.
so you are saying that in your tests it's just a rbac issue because the jenkins operator does not have the grants to create pods, cm, secrets etc in the others namespace?
I never tried this, maybe it's something we can fix easily
dashashutosh24
commented
1 year ago Yes it seems it was only a permissions issue. This could be the rolebinding in the slave build agents' namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins-operator-jenkins
namespace: jenkins-slaves
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: jenkins-operator-jenkins
subjects:
- kind: ServiceAccount
name: jenkins-operator-jenkins
namespace: jenkins-operatorThe role is an exact copy of the role in master's namespace with the same permissions and the rolebinding binds it with the serviceaccount used by master in it's own namespace.
Need to be able to have build pods and jenkins controller in separate namespaces. Doesn't seem to be currently possible, which pose the risk of user-defined jobs to be able to construct such a pod that uses SA from controller so it can read secrets, amend controller pod etc. There are four separate roles in a typical shared k8s setup - cluster admins, operator admins, controller admins and jobs admins.