Restrict Jenkins jobs by subnet and project folder

OK I’m fairly new to Jenkins and we are migrating 4 different Jenkins servers into 1 using Docker. We run 3 different network environments dev, test, and production. I have created folders for each env, We have set the Authorization to Project-Based and assigned AD user groups to them. Now I need to restrict the subnet that the jobs in each folder can talk to. Does anyone know of an easy way to do this?

Your best bet would be in Jenkins go to Manage Jenkins > Manages Nodes > and give each node a label for the environment / subnet they’re in. Then in the agent section of your job you would add that label. You can have multiple labels by using && in your job. It would look something like this:

node('el7 && nodejs') {
    // some block

One of the possibilities is to deploy a regular webserver in front of it and use its IP address per URL restriction facilities (similar to Jenkins : Apache frontend for security)

Jenkins uses Jetty as the web server, and Jetty has necessary tools to do that, but I don’t know how to convince built-in Jetty to restrict access by IP and URL. Of course Jenkins can be ran inside of Jetty, but this is probably not the simplest setup possible.

Do you mean by this that you have agents connected from the different networks and you want to make sure that jobs that correspond to the network are only able to use agents from that network?
If yes you could enable node based security and grant build permission for the nodes to only those groups. Then use the Authorize Project plugin to make sure the job is always run with a user from that AD group, ideally this is a technical user and a not a regular user belonging to a person.
This would prevent that jobs from dev network can run on agents on production network. But in case of misconfiguration in a job/pipeline it can lead to hanging builds if you try to use an agent for which you don’t have permission to build on.

I am so new to Jenkins that I was not even aware of how the agents work. I am still doing more reading and all of the suggestions I am reviewing. I did find some documentation on setting up the agents and we are in the process of building new servers to push the agent to. I am reviewing the suggestion from both Elliott and yourself.

1 Like