On Friday, 25 January 2019 19:26:41 UTC+1, Jesse Glick wrote: > > >>> we have to run some jobs on master to configure it(apply groovy > scripts, restore/backup and seed jobs creation). > > > >> This seems inadvisable and is generally insecure. Better for these > tasks to be externalized. > > > > encapsulati[ng] configuration tasks into jobs give view what is wrong > with configuration provided by user. > > > Perhaps these tasks could be made into K8s batch jobs instead? > > >> Maybe there is a solution where we can restrict which jobs can be run > on master? > > > It is possible with some plugins and core extension points, but not > > currently well supported. See discussion in JENKINS-24513. If you can > > avoid it and run operator subtasks in separate pods, it would be > > better. >
I've came up with new solution: - don't use jobs to apply configuration/make backup - set master executors to zero - apply configuration groovy scripts via "/scriptText" endpoint - use https://javadoc.jenkins.io/hudson/model/AdministrativeMonitor.html to inform about configuration process and it's errors - add static agent as Kubernetes pod to run seed jobs Sorry for a late response. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/9d54b27f-39b2-4b1d-a38c-c7c7941e208f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
