OpenShift CI/CD Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 44: Line 44:


Also see: {{Internal|OpenShift_CI/CD_Operations#Grant_Jenkins_Needed_Privileges_for_the_Projects_that_Require_CI.2FCD_Services|Grant Jenkins Needed Privileges for the Projects that Require CI/CD Services}}
Also see: {{Internal|OpenShift_CI/CD_Operations#Grant_Jenkins_Needed_Privileges_for_the_Projects_that_Require_CI.2FCD_Services|Grant Jenkins Needed Privileges for the Projects that Require CI/CD Services}}
=State Persistence Considerations=

Revision as of 22:13, 21 November 2017

External

Internal

Overview

OpenShift provides a certified Jenkins container for building Continuous Delivery pipelines. When necessary, it scales the pipeline execution by on-demand provisioning of multiple Jenkins containers, allowing Jenkins to run many jobs in parallel.

Resources

This is the memory consumption based on a test installation:

  • jenkins/jenkins-jnlp pod: 720 MB
  • nexus pod: 610 MB
  • gogs pod: 110 MB

Jenkins Pods and Projects

Jenkins infrastructure can run in an arbitrary project, on a per-project basis, but a more common setup is to create a dedicated CI/CD project and configure it to perform CI/CD services for other "client" projects.

Security Considerations

Jenkins components need to access the OpenShift API exposed by the master for various operations: to access container images, to trigger a build, to check the status of a build, etc. so special privileges need to be assigned to the service account under whose credentials Jenkins runs. Jenkins authenticates to the API using the "system:serviceaccount:<project-name>:default service account, where <project-name> is the name of the project the Jenkins pod runs in. The service account must be granted the "admin" role:

oc policy add-role-to-user admin system:serviceaccount:<jenkins-project-name>:default

"default" is a generic account, so in general is a good idea to created a dedicated "jenkins" service account, to be used by the Jenkins processes: "system:serviceaccount:<project-name>:jenkins.

oc policy add-role-to-user admin system:serviceaccount:<jenkins-project-name>:jenkins

Jenkins performs CI/CD services for other projects, so the service account running the Jenkins pods in the Jenkins project must be granted elevated privileges in the projects serviced by it:

oc policy add-role-to-user edit system:serviceaccount:<jenkins-project-name>:jenkins -n <client-project>

To list the roles associated with a service account, use oc get rolebindings or oc describe policyBindings.

Also see:

Grant Jenkins Needed Privileges for the Projects that Require CI/CD Services

State Persistence Considerations