Issue with Role-Based Authorization Strategy in Jenkins on GKE

I recently installed Jenkins using a Helm chart on Google Kubernetes Engine (GKE) and enabled the Role-Based Authorization Strategy. I created multiple global roles and assigned them to the appropriate items. I also configured a Persistent Volume Claim (PVC) to ensure data persistence.

However, after restarting Jenkins the authorization strategy back to “Logged-in users can do anything,” I noticed that all my previously created roles and their assigned items have disappeared.

Could someone please help me understand why this is happening? Any insights or recommendations on how to prevent this issue in the future would be greatly appreciated.

Thank you!

Do you have CasC files in your JENKINS_HOME that are applied after each restart and contain a different security realm?

@mawinter69 yes I have that file in JENKINS_HOME path.

drwxrwsrwx 2 root jenkins 4096 Sep 30 08:46 casc_configs

That’s a directory, check what you have in there and if it contains something for the security realm.

@mawinter69 I can see a security yaml file

pwd
/var/jenkins_home/casc_configs
jenkins@jenkins-0:~/casc_configs$ ls
jcasc-default-config.yaml
jenkins@jenkins-0:~/casc_configs$

But looks like still authorization strategy is ‘loggedInUsersCanDoAnything’ even I selected role based strategy in Jenkins GUI.

jenkins:
authorizationStrategy:
loggedInUsersCanDoAnything:
allowAnonymousRead: false

My use case:

  1. I want to enable role-based authorization through the GUI.
  2. I need this configuration to persist even after a Jenkins restart.

My question:

  • What steps should I follow to ensure that this configuration remains persistent after restarts?

Thank you for your assistance!

These are configuration files that are applied on every start of Jenkins. So if you don’t want things from there you should remove the corresponding part in that file or delete it completely.

@mawinter69 Thanks for your previous response! I updated the YAML file as suggested, and it worked well.
JCasC:
authorizationStrategy: |-
# Nothing is enforced here, Jenkins UI will manage the strategy

Now, I’m trying to expose Jenkins using internal LoadBalancer with a static IP. However, despite updating my override.yaml file, the service appears to be exposing on ClusterIP instead.

Here’s the relevant snippet from my override.yaml.

controller:
service:
type: LoadBalancer # Use LoadBalancer for exposing Jenkins
annotations:
cloud.google.com/load-balancer-type: Internal
cloud.google.com/load-balancer-ipv4: “XX.XX.XX.XX” # Reserved IP
port: 8080 # or the port you want Jenkins to expose
targetPort: 8080 # the port Jenkins listens on

I appreciate your assistance!