1. Overview

CloudBees Core is the successor to CloudBees Jenkins Platform and CloudBees Jenkins Enterprise. This article explains how to integrate the Prisma Cloud Jenkins plugin with a CloudBees Core build pipeline running in a Kubernetes cluster.

2. Key concepts

Refer to the article on setting up a Jenkins Pipeline in Kubernetes, as the core concepts are the same. In the case of CloudBees Core on Kubernetes, much of the configuration is already done and the pipeline script is simpler because the JNLP Agent/Slave container is launched automatically. The only tricky bit of configuration is determining the group ID (gid) of the docker group on your Kubernetes hosts, and using it to add some YAML to the default JNLP Agent/Slave pod configuration in CloudBees core. This allows a pod running your pipeline to build and scan images using the mapped Docker socket of the underlying hosts.

3. Integrating Prisma Cloud

After installing the Prisma Cloud Jenkins plugin, configure the default pod template.

Prerequisites:

  • You have set up a Kubernetes cluster using the Docker runtime and can SSH to nodes (see gid note below).

  • You have installed Prisma Cloud Console. You can install Prisma Cloud inside or outside of the cluster, as long as any cluster node can reach Console over the network.

  • You have installed CloudBees Core in your cluster. The CloudBees Core Install Guides are very helpful.

  • You’ve built or identified an image for your Docker build executor that contains the docker binary. See an example Dockerfile below.

  • Install the Prisma Cloud Jenkins plugin.

  1. Get the docker group ID (GID) used by the hosts in your Kubernetes cluster.

    1. SSH to a node in the cluster.

    2. Get the docker group GID. Copy it and set it aside for now.

      $ sudo grep docker /etc/group
  2. Log into the CloudBees Core console, and navigate to <CLOUDBEES_CONSOLE>/cjoc/view/All/.

  3. Click on kubernetes shared cloud.

    cloudbees core cjoc all
  4. In the left navigation bar, click on Configure.

  5. Scroll down to the Kubernetes pod template section. You’ll notice a pod template named default-java with a single container named jnlp.

    cloudbees core pod template
  6. Scroll to the bottom of the section. In Raw yaml for the Pod, enter the following snippet, replacing <GID> with the docker GID for your environment.

    spec:
     securityContext:
       fsGroup: <GID>
  7. Grant all containers in the pod access to the underlying host’s Docker socket (unless you do this manually in the pipeline script).

    1. Scroll up to the Volumes section.

    2. Add a Host Path Volume to the pod template.

    3. In both Host path and Mount path, enter /var/run/docker.sock.

  8. Add a second container to the pod template.

    In addition to the JNLP agent/slave, you’ll also want to spin up a container with the docker binary inside of it. Use the official docker image from DockerHub and name it build, although you could use any image with the docker client command installed in it. The docker client will use the Docker socket mounted from the underlying host.

    1. Scroll up the Container Template section.

    2. Click Add Container.

    3. In Name, enter build.

    4. In Docker image, enter docker.

    5. In Working directory, enter /home/jenkins.

    6. In Command to run, enter /bin/sh -c.

    7. In Arguments to pass to the command, enter cat.

    8. Enable Allocate pseudo-TTY.

  9. Your CloudBees Core pod template config page should look like the folowing screenshot.