Security validator for Jenkins Kubernetes Operator

Goal: Improve security aspects of installing Jenkins plugins in Kubernetes environment.

Status: Completed

Team

Details

Project Details

The Jenkins Operator is a Kubernetes Native Operator which manages operations for Jenkins on Kubernetes. It enables community to run Jenkins in cloud-native environments like Kubernetes, OpenShift and others. Also, supports most of the public cloud providers (AWS, Azure, GCP) in terms of additional capabilities like backups, observability and cloud security.

If you are interested in exploring Kubernetes and software-defined operators ecosystem more in-depth, as well as enhance your Go coding skill - this is definitely an interesting opportunity to consider.

Problem Statement

Some of the plugins have security warnings which are not properly presented to the end users. This may result in introducing security risk in existing CI/CD infrastructure.

As part of reconciliation process of Jenkins, when plugins are already downloaded but not yet installed add a validation step that will check if chosen plugins contain security issues, using Kubernetes Admission Controller. It can be implemented by taking an advantage of built-in security check mechanism in Jenkins Update Centre - the operator should fetch the data directly from Jenkins Download Center (over REST API) about security warnings for corresponding list of plugins to be installed.

Additionally, in case a security warning is detected, user should be able to choose if Jenkins Operator should continue with installation process.

Office hours

TODO

Links