Reputation: 3129
Preventing unsanctioned deploys in Jenkinsfile (Multibranch Pipeline)
We're running Jenkins with multibranch pipeline plugin attached to GitHub organization's repository with Jenkinsfile in some of its branches. Jenkins has access to multiple other agents & nodes where it deploys code after it's successfully built.
The problem: I want to prevent other devs from running builds with modified Jenkinsfile in their branches and pull requests.
- Solution 1:
whenstatement in Jenkinsfile: poor security. Anyone can modify it, remove thewhenclause and break production. - Solution 2: locked files on repo: not available on GitHub. I'm seriously considering moving to GitLab because they have this function.
- Solution 3: seperate job in Jenkins for deployment: overkill. I think there should be a Pipeline-ish solution for this.
How can I make sure that the used Jenkinsfile is authentic and not modified? Is there any solution to this that I'm missing? I want this to be secure enough to prevent anyone with push access from intentionally breaking things, e. g. git pre-push hooks are not a solution.
Upvotes: 8
Views: 2419
Answers (2)
Reputation: 107
I'm facing the same problem right now, this Jenkins Plugin probably could help us: Remote Jenkinsfile Provider Plugin
I've got the below sentence from their docs:
With this plugin you can define/set Jenkins files from another repository while still able to use MultiBranch Pipeline Project features. This way you will be able to centralize all Jenkins files in another repository where you can review or restrict changes and use MultiBranch Pipeline for multi branched repositories.
So, you might have other repo where you store the Jenkinsfile and give access only for the right people to change it.
I'll probably give it a try in the next weeks.
Upvotes: 1
Reputation: 6976
You can use Custom Script mode under Build Configuration section in the configuration of the multibranch project, this way the jenkinsfile in the different branches will not be used but what you either define in the job configuration by selecting pipeline script in Definition section and preventing the developers to modify the jenkins job configuration, or you can specify any file to be the jenkins file in basically any repository by selecting Pipeline script from SCM.
For example non of our repositories have a jenkinsfile, there is only one jenkinsfile for all of our projects that only I update and lives in a separate repository.
Upvotes: 3
Related Questions
- Prevent Jenkins from building all branches of a multibranch pipeline on first run/seed job?
- How to avoid Jenkins multibranch pipeline job triggering itself
- Prevent Jenkins multibranch pipeline from triggering builds for new branches
- jenkins multibranch pipeline disable auto node checkout
- Jenkins - abort running build if new one is started
- How to limit Jenkins concurrent multibranch pipeline builds?
- How to disable a Jenkins Multibranch Pipeline project
- Exclude branches from Jenkins multibranch job
- Jenkins: disableConcurentBuild not working
- Jenkins:Pipeline optional manual stage, that does not block any agent