How to make sure a Jenkins slave in GKE communicates safely with its master?

12/9/2019

I'm planning to use the Jenkins Kubernetes plugin in a setup where an existing Jenkins setup with master and slaves on VMs is split into the master remaining in the current setup and slaves being provisioned dynamically by Google Kubernetes Engine (GKE).

My aim is to reduce costs for the time where slaves can be auto-scaled down to a minimum and provide constant build speed by provisioning a large number of agents at the same time. I'm choosing this approach because it requires a minimum effort.

Afaik I need to forward ports 8080 and 50000 for the JNLP. This is a potential security risk since JNLP isn't protected by any form of encryption and credentials for Jenkins and third party system could be intercepted as well as arbitrary commands being run on the master.

There's the option to enable Slave to master access control, but as far as I understand it's not a protection against interception of credentials.

Is it possible to create an IP or other tunnel inside GKE? The IPs of the master nodes are not predictable and it seems like a lot of overhead to maintain the correct tunnel destination to potentially terminated and recreated node pools.

I'm aware that it's probably not rocket science to move the Jenkins master to Kubernetes as well and let it do it's magic with dynamic provisioning of agents in the contained and wonderful world of k8s. However I need to move it there and I don't want to invest time just to have a nice to look at solution if an easier approach does the job as well.

-- Karl Richter
google-kubernetes-engine
jenkins
jnlp
kubernetes

2 Answers

12/10/2019

You can use Google Cloud VPN service to have secure connection from your VMs to the resources in GKE. Here you can find official documentation and here example of practical use provided by third party.

-- Serhii Rohoza
Source: StackOverflow

12/21/2019

JNLP version 4 (by default on port 50000) is encrypted and allows secure transfer of resource in and out of Google Cloud services. The protocol version can be enforced in Jenkins.

-- Karl Richter
Source: StackOverflow