Installing the Operator

How to install Jenkins Operator

This document describes installation procedure for Jenkins Operator. All container images can be found at virtuslab/jenkins-operator Docker Hub repository.


To run Jenkins Operator, you will need:

  • access to a Kubernetes cluster version 1.17+
  • kubectl version 1.17+

Listed below are the two ways to deploy Jenkins Operator.

Deploy Jenkins Operator using YAML’s

First, install Jenkins Custom Resource Definition:

kubectl apply -f 

Then, install the Operator and other required resources:

kubectl apply -f

Watch Jenkins Operator instance being created:

kubectl get pods -w

Now Jenkins Operator should be up and running in the default namespace. For deploying Jenkins, refer to Deploy Jenkins section.

Deploy Jenkins Operator using Helm Chart

Alternatively, you can also use Helm to install the Operator (and optionally, by default, Jenkins). It requires the Helm 3+ for deployment.

Create a namespace for the operator:

$ kubectl create namespace <your-namespace>

To install, you need only to type these commands:

$ helm repo add jenkins
$ helm install <name> jenkins/jenkins-operator -n <your-namespace>

To add custom labels and annotations, you can use values.yaml file or pass them into helm install command, e.g.:

$ helm install <name> jenkins/jenkins-operator -n <your-namespace> --set jenkins.labels.LabelKey=LabelValue,jenkins.annotations.AnnotationKey=AnnotationValue

You can further customize Jenkins using values.yaml:

Jenkins instance configuration

Field Default value Description

operator is section for configuring operator deployment

enabled true Enabled can enable or disable the Jenkins instance. Set to false if you have configured CR already and/or you want to deploy an operator only.
apiVersion Version of the CR manifest. The recommended and default value is More info
name jenkins Name of resource. The pod name will be jenkins-<name> (name will be set as suffix).
namespace default Namespace the resources will be deployed to. It's not recommended to use default namespace. Create new namespace for jenkins (e.g. kubectl create -n jenkins)
labels {} Labels are injected into metadata labels field.
annotations {} Annotations are injected into metadata annotations field.
image jenkins/jenkins:lts Image is the name (and tag) of the Jenkins instance. It's recommended to use LTS (tag: "lts") version.
env [] Env contains jenkins container environment variables.
imagePullPolicy Always Defines policy for pulling images
priorityClassName "" PriorityClassName indicates the importance of a Pod relative to other Pods. More info
disableCSRFProtection false disableCSRFProtection can enable or disable operator built-in CSRF protection. Set it to true if you are using OpenShift Jenkins Plugin. More info
imagePullSecrets [] Used if you want to pull images from private repository More info
notifications [] Notifications is feature that notify user about Jenkins reconcilation status More info
- name: kubernetes
  version: "1.25.2"
- name: workflow-job
  version: "2.39"
- name: workflow-aggregator
  version: "2.6"
- name: git
  version: "4.2.2"
- name: job-dsl
  version: "1.77"
- name: configuration-as-code
  version: "1.38"
- name: kubernetes-credentials
  version: "0.13"
Plugins installed and required by the operator shouldn't contain plugins defined by user You can change their versions here More info
plugins [] Plugins required by the user. You can define plugins here. More info Example:
 - name: simple-theme-plugin
   version: 0.5.1
seedJobs [] Placeholder for jenkins seed jobs For seed job creation tutorial, check:
Prepare seed jobs
Configure seed jobs
- id: jenkins-operator
  targets: "cicd/jobs/*.jenkins"
  description: "Jenkins Operator repository"
  repositoryBranch: master
  cpu: 1500m
  memory: 3Gi
  cpu: 1
  memory: 500M
Resource limit/request for Jenkins More info
- name: backup
    claimName: jenkins-backup
Volumes used by Jenkins By default, we are only using PVC volume for storing backups.
volumeMounts [] volumeMounts are mounts for Jenkins pod.
securityContext runAsUser: 1000 fsGroup: 1000 SecurityContext for pod.
service not implemented Http Jenkins service. See for details.
slaveService not implemented Slave Jenkins service. See for details.
  failureThreshold: 12
    path: /login
    port: http
    scheme: HTTP
  initialDelaySeconds: 80
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 5
livenessProbe for Pod
  failureThreshold: 3
    path: /login
    port: http
    scheme: HTTP
  initialDelaySeconds: 30
  periodSeconds: 10
  successThreshold: 1
  timeoutSeconds: 1
readinessProbe for Pod


Backup is section for configuring operator's backup feature By default backup feature is enabled and pre-configured This section simplifies the configuration described here: Configuring backup and restore For customization tips see Custom backup and restore


Section where we can configure Jenkins instance. See Customizing Jenkins for details

Configuring operator deployment

Field Default value Description

operator is section for configuring operator deployment

1 Number of Replicas.
image virtuslab/jenkins-operator:v0.4.0 Name (and tag) of the Jenkins Operator image.
imagePullPolicy IfNotPresent Defines policy for pulling images.
imagePullSecrets [] Used if you want to pull images from private repository.
nameOverride "" nameOverride overrides the app name.
fullnameOverride "" fullnameOverride overrides the deployment name
resources {}
nodeSelector {}
tolerations {}
affinity {}


(Appears on: JenkinsConfiguration)

Backup defines configuration of Jenkins backup.

Field Default value Description
enabled true Enabled is enable/disable switch for backup feature.
image virtuslab/jenkins-operator-backup-pvc:v0.0.8 Image used by backup feature.
containerName backup Backup container name.
interval 30 Defines how often make backup in seconds.
makeBackupBeforePodDeletion true When enabled will make backup before pod deletion.
backupCommand /home/user/bin/ Backup container command.
restoreCommand /home/user/bin/ Backup restore command.

Persistent Volume Claim Kubernetes resource

enabled true Enable/disable switch for PVC
enabled true Enable/disable switch for PVC
size 5Gi Size of PVC
className "" StorageClassName for PVC More info
- name: BACKUP_DIR
  value: /backup
  value: /jenkins-home
  value: "3"
Contains container environment variables. PVC backup provider handles these variables:
BACKUP_DIR - path for storing backup files (default: "/backup")
JENKINS_HOME - path to jenkins home (default: "/jenkins-home")
BACKUP_COUNT - define how much recent backups will be kept
- name: jenkins-home
  mountPath: /jenkins-home
- mountPath: /backup
  name: backup
Holds the mount points for volumes.


(Appears on: Jenkins instance configuration)

Field Default value Description
configurationAsCode {} ConfigurationAsCode defines configuration of Jenkins customization via Configuration as Code Jenkins plugin. Example:
- configMapName: jenkins-casc
  content: {}
groovyScripts {} GroovyScripts defines configuration of Jenkins customization via groovy scripts. Example:
- configMapName: jenkins-gs
  content: {}
secretRefName “” secretRefName of existing secret (previously created).
secretData {} If secretRefName is empty, secretData creates new secret and fills with data provided in secretData.

Note on Operator’s nightly built images

If you wish to use the newest, not yet released version of the Operator, you can use one of nightly built snapshot images, however the maintainers of this project cannot guarantee their stability.

You can find nightly built images by heading to virtuslab/jenkins-operator Docker Hub repository and looking for images with tag in the form of {git-hash}, {git-hash} being the hash of master branch commit that you want to use snapshot of.

Note on restricted Jenkins controller pod volumeMounts

Current design of the Operator puts an emphasis on creating a full GitOps flow of work for Jenkins users. One of the key points of this design is maintaining an immutable state of Jenkins.

One of the prerequisites of this is an ephemeral Jenkins home directory. To achieve that, Operator mounts emptyDir Volume (jenkins-home) as Jenkins home directory. It is not possible to overwrite volumeMount and specify any other Volume for Jenkins home directory, as attempting to do so will result in Operator error.

jenkins-home is not the only Jenkins controller pod volumeMount that is non-configurable and managed by Operator, below is the full list of those volumeMounts:

  • jenkins-home
  • scripts
  • init-configuration
  • operator-credentials

Validating Webhook

Validating webhook can be used in order to increase the Operator’s capabilities to monitor security issues. It will look for security vulnerabilities in the base and requested plugins. It can be easily installed via Helm charts by setting webhook.enabled in values.yaml.

Note: The webhook takes some time to get up and running. It’s recommended to first deploy the Operator and later Jenkins Custom Resource by using toggles in values.yaml. For the installation with yaml manifests (without using Helm chart), first, install cert-manager:

kubectl apply -f 

It takes some time to get cert-manager up and running. Then, install the webhook and other required resources:

kubectl apply -f

Now, download the manifests for the operator and other resources from here and provide these additional fields in the Operator manifest:

apiVersion: apps/v1
kind: Deployment
  name: jenkins-operator
    control-plane: controller-manager
      control-plane: controller-manager
  replicas: 1
        control-plane: controller-manager
      serviceAccountName: jenkins-operator
        runAsUser: 65532
      - command:
        - /manager
        - --leader-elect
        - --validate-security-warnings
        image: virtuslab/jenkins-operator:v0.7.0
        name: jenkins-operator
        imagePullPolicy: IfNotPresent
          allowPrivilegeEscalation: false
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
            cpu: 200m
            memory: 100Mi
            cpu: 100m
            memory: 20Mi
          - name: WATCH_NAMESPACE
                fieldPath: metadata.namespace
          - mountPath: /tmp/k8s-webhook-server/serving-certs
            name: webhook-certs
            readOnly: true       
      - name: webhook-certs
          defaultMode: 420
          secretName: jenkins-webhook-certificate
      terminationGracePeriodSeconds: 10

To enable security validation in the Jenkins Custom Resource, set


Last modified December 8, 2021