Background

Jenkins custom resources on a Kubernetes cluster are deployed using declarative YAML configuration files; hence some of the plugins declared in these files may contain security warnings. So there is no way for the user to know other than manually checking for each on the site. This project aims to add an extra step of validation before creating/updating a new Jenkins Custom Resource.

Deliverables

This project aims to add a validating admission webhook to the Jenkins Operator for Kubernetes to detect potential security vulnerabilities in the plugins before the object is created.

Dependencies

Webhooks communicate to the API server over HTTPS and use TLS. Thus, Jetstack/cert-manager is used to provision TLS certificates and establish connection between Kubernetes API and webhook.

Implementaion

Operator-SDK takes care of creating a new webhook and appending it to the manager and creating handlers. Tls certificates are managed using cert-manager.

  • Validation Logic:

    • Proposed Implementations: Iterate through the list of plugins to be installed and fetch warnings for each plugin from the plugin center API and check if the version of that plugin has any of those warnings.

    • Caveats: Webhooks add latency to an API request, hence they should evaluate as quickly as possible thus having max allowed timeout of 30s. In the earlier approach I was fetching the security warnings from the plugin site API in the validator interface itself, and since network operations are slow, it was causing a timeout in the case of validating a larger number of plugins or when the Internet connection was not good.

    • Updated Implementaion: Instead of fetching information for each plugin, the information about all the plugins is downloaded and cached at the start of the operator and updated periodically, thus eliminating network calls and finishing validation in less than a second.

Evaluation Phase 1:

  • Scaffoled a new validation webhook

  • Added manifests for ValidatingWebhookConfiguration, certificates and volumes, and updated Makefile

  • Implemented the validator interface

  • Updated helm charts

Evaluation Phase 2:

  • Reimplemented the validator interface.

  • Added unit tests for internal functions

  • Added e2e tests along with helm tests

  • Updated helm charts

User Guide

The webhook feature is completely optional for the user. It can be easily deployed using Helm Chart by setting webhook.enabled in values.yaml and in the Operator command line flag.

 webhook.enabled=true

To enable security validation in the jenkins custom resource set

jenkins.ValidateSecurityWarnings=true
  • Note: The webhook takes some time to get up and running, also when helm renders the template, the validating webhook configuration is applied last, hence if the user wants to deploy the Jenkins Custom Resource with validation turned on, he needs to wait for some time. After the webhook is up and running the user can deploy the Jenkins Custom Resource using helm or kubectl

Future work

  • Implementing a post-install hook in the helm charts that checks whether the webhook is up and running.

  • Adding validation for required core version of plugin and core version of Jenkins.

  • Migrating other validation logic from controller to the webhook.

  • Adding validation for the dependencies of the plugins.

About the Authors
Pulkit Sharma

A Student at the Indian Institute of Technology(BHU) Varanasi, Pulkit is currently working on a GSoC Project under Jenkins where he aims to add a security validator to the Jenkins Kubernetes Operator.