Overview

Jenkins is an open source automation server which enables developers to reliably build, test, and deploy their software. As a Banyan Administrator, you can securely expose and protect your team’s Jenkins automation server.

Prerequisites

Setup

Step 1. Create a Policy

2.1 Log in to the Banyan Command Center and navigate to Secure Access > Policies > Create New Policy.

1.2 Create a new Policy using the template Basic Authorization Policy for Users.

1.3 Enter a Policy Name (such as, hosted-service) and a Description.

1.4 Configure the Policy Attributes for minimal controls:

  • Specify this policy is intended for Web - for accessing HTTP services via web browser
  • Only allow access from the following role: ANY
  • Only allow users and devices with the following Trust Levels: No Trust Level - ignore TrustScore (or a Trust Level according to your organization’s security requirements)

Step 2. Register Jenkins as a Hosted Service

2.1 Navigate to Manage Services > Hosted Services and then click + Register Service.

2.2 Select the template Standard Website.

2.3 Enter the Service Name (such as, Jenkins) and Description (such as Access to hosted Jenkins service).

2.4 Click Select an Icon, then search for and select the Jenkins icon.

2.5 Select the cluster where the applicable Access Tier is located.

2.6 Configure the Service Attributes:

  • Enter the Service Domain Name of the Access Tier behind which the Jenkins service is deployed (such as, jenkins.(Access Tier site domain name)) and leave the port as 443.
  • Set the enforcement model to Site-based (Access Tier) and then select the applicable Site (Access Tier).
  • Enter the Backend Domain Name and Port.
  • Enable TLS if Access Tier will be communicating to the backend web service using TLS.

2.7 Attach the policy we had previously created in Step 1.4, and then set enforcement mode to Enforcing.

2.8 Click Register Service.

Additionally, if you need Jenkins to communicate with a third-party service (such as GitHub or GitLab), you can create a custom service to configure source IP exceptions.

Step 3. Navigate to Jenkins and log in to your IdP

3.1 Now, you can navigate to Jenkins and authenticate via your IdP.

You will be taken to your Identity Provider to login while, behind the scenes, Banyan is evaluating device posture and enforcing your security policies.

Notes

Add Source IP Exception

If your organization hosts software development and version control in a repo platform (such as GitLab or GitHub) and needs to trigger automated builds in Jenkins via webhooks, create a custom service to configure source IP exceptions.

In this scenario, the git repo indicates to Jenkins there has been a commit update. With source IP exceptions configured, Banyan Access Tiers will skip authentication of the request and begin the automated build proceeds without any end-user authentication or interaction.

When configuring the custom service’s Service Attributes, set the enabled flag to true. Then, set the source_cidrs to the exact IP or CIDR range of the repo service.



Last modified: Sep 23, 2021