I haven't thought this through in detail however it might be possible to use GoCD's 'environment' concept to achieve this if different teams have different config repositories they have permissions on.
You can restrict which environments a given config repository has permissions to link pipelines to in its permission configuration. I think (but need to double check) that you can also change elastic agent profiles so the elastic agents only register for particular environments using environment variables for the container (rather than any/all/no environment by default). That'd require different elastic agent profiles for different teams (or environment groupings) which it sounds like you have already. If this approach works, team A would have to link their jobs to an environment in their YAML config. They *could* refer to a team Bs profile in their job YAML, but when the instance starts up it wouldn't register for the correct environment their pipeline is assigned to and the job wouldn't get assigned. So it wouldn't prevent 'wasted elastic agent starts' due to misconfig but should prevent agent B from running team A's pipelines. Can you perhaps experiment with environments and the agent auto-registration environment vars and see if that approach works for you? -Chad On Sat, 10 Sep 2022, 00:06 X-Cloud Lab, <[email protected]> wrote: > Hello, > > I'm using GoCD EKS v22.1.0. I'm using it to run IaC on AWS. > > I create an EKS cluster and create each profile for each squad team. > I also using gocd-yaml-conflig plugin to write pipeline as codes from > GitLab. > So, the developers can write their own pipelines and using the elastic > agent based on their profile. > > For example, app-a-build-agents profile is for app-a squad team. > > My question is how to prevent other squad team to use app-a-build-agents > profile. > The other squad can configure their pipeline to use app-a-build-agents > profile to configure AWS resources on Squad A AWS account. > This could be mistake or intend to do that. > > Does GoCD has a mechanism to prevent this behavior? > > Regards, > Worapoj > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/d6995a9a-da40-47cd-8306-a6af1e433bc9n%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/d6995a9a-da40-47cd-8306-a6af1e433bc9n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH_hfSfaSJyrcwD9FcCeUeW09rHOWk%3DzLh1F0V%3DCTM80EA%40mail.gmail.com.
