Securing Brigade

The execution of Brigade scripts involves dynamically creating (and destroying) a number of Kubernetes objects, including pods, secrets, and persistent volume claims. For that reason, it is prudent to configure security.

How RBAC Is Configured

The Helm chart for Brigade includes an RBAC configuration that is designed to run in an isolated namespace.

The RBAC defines a Service Account for every Deployment (API, Controller, Gateway), as well as a Service Account for the Brigade worker.

Each deployment also has a Role, which describes the permissions that the particular service needs.

The resulting Role Bindings, then, are a simple one-to-one match between the Service Account and the Role.

Workers are an exception. The Service Account for a worker is hard-coded to brigade-worker, and all workers are bound to a Role that allows operations on pods, secrets, and persistent volume claims.

Project Security

Brigade is opinionated about configuring projects and storing data like credentials. Because sensitive information is stored in a project’s secret, care should be taken in preventing unauthorized access to that secret.

Note that if Helm is used to create a project, the project’s secrets will be cached within Helm’s release object. Read the Helm docs to learn how to secure Helm.

Script Security

Brigade scripts can create pods, secrets, and persistent volume claims. Brigade does not evaluate the security of the containers that a pod runs. Consequently, it is best to avoid using untrusted containers in Brigade scripts. Likewise, it is not recommended to inject secrets into a container without first auditing the container.

Gateway Security

In Brigade, a gateway is any service that translates some external prompt (webhook, 3rd party API, cron trigger, etc.) into a Brigade event.

Gateways are the most likely service to have an external network connection. We suggest the following features of a gateway:

API Server Security

Brigade includes an API server which allows external tools to discover state about Brigade projects, builds, and jobs.

This service should only be exposed to the outside network when necessary. And when exposed, it should use transport layer security (aka SSL) whenever possible.