Jenkins RBAC and ServiceAccount Configuration¶
The Jenkins Helm Chart provides configurations to manage Kubernetes RBAC resources and [[ServiceAccount]]s for both the controller and agents^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
RBAC Configuration¶
Role-Based Access Control (RBAC) determines the permissions the Jenkins instance has within the Kubernetes cluster.
- Creation: The
rbac.createparameter determines whether RBAC resources (such as Roles and RoleBindings) are created^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. It is enabled by default. - Secret Access: The
rbac.readSecretsparameter controls whether the Jenkins ServiceAccount is granted permissions to read Kubernetes secrets^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. This is disabled by default. - Config Reload: If the Jenkins Configuration as Code (JCasC) auto-reload sidecar is enabled, RBAC must be enabled so the sidecar container has the necessary permissions to read the ConfigMap containing the configuration^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
ServiceAccount - Controller¶
The controller requires a ServiceAccount to interact with the Kubernetes API, primarily for provisioning agent pods^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
| Parameter | Description | Default |
|---|---|---|
serviceAccount.create |
Specifies whether a ServiceAccount should be created^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | true |
serviceAccount.name |
The name of the ServiceAccount to use. If not set and create is true, the name is autogenerated^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. |
Autogenerated |
serviceAccount.annotations |
Annotations to add to the ServiceAccount^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | {} |
serviceAccount.imagePullSecretName |
The name of an image pull secret to attach to the ServiceAccount^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | Not set |
ServiceAccount - Agent¶
Agent pods can run with a distinct ServiceAccount to separate their permissions from the controller^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md].
| Parameter | Description | Default |
|---|---|---|
serviceAccountAgent.create |
Specifies whether an agent-specific ServiceAccount should be created^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | false |
serviceAccountAgent.name |
The name of the agent ServiceAccount^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | Autogenerated |
serviceAccountAgent.annotations |
Annotations to add to the agent ServiceAccount^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | {} |
serviceAccountAgent.imagePullSecretName |
Image pull secret for the agent ServiceAccount^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]. | Not set |
Related Concepts¶
- [[ServiceAccount]]
- [[Jenkins Agent]]
Sources¶
^[400-devops__06-Kubernetes__devops-helm__helm-jenkins__VALUES_SUMMARY.md]