Harness Platform Administration Skill
Comprehensive Harness Platform administration for delegates, RBAC, connectors, secrets, templates, OPA policies, and governance.
Platform Hierarchy
Account (Root) ├── Organization │ ├── Project │ │ ├── Pipelines, Services, Environments │ │ ├── Connectors (project-level) │ │ └── Secrets (project-level) │ ├── Connectors (org-level) │ └── Secrets (org-level) ├── Delegates ├── Secrets (account-level) └── User Management
Harness Delegates
Types: Kubernetes (Helm, YAML), Docker, Shell, ECS
Kubernetes Helm Install:
helm repo add harness-delegate https://app.harness.io/storage/harness-download/delegate-helm-chart/
helm install harness-delegate harness-delegate/harness-delegate-ng
--namespace harness-delegate --create-namespace
--set accountId="${HARNESS_ACCOUNT_ID}"
--set delegateToken="${DELEGATE_TOKEN}"
--set delegateName="prod-delegate"
--set replicas=2
Delegate Selectors: Route tasks to specific delegates with labels (e.g., production, aws, k8s)
Troubleshooting:
kubectl get pods -n harness-delegate kubectl logs -n harness-delegate -l app=harness-delegate --tail=100 kubectl exec deployment/harness-delegate -n harness-delegate -- curl -s localhost:8080/api/health
RBAC (Role-Based Access Control)
Built-in Roles:
-
Account Admin (full access)
-
Account Viewer (read-only)
-
Organization Admin (org-level)
-
Project Admin (project-level)
-
Pipeline Executor (execute only)
-
Pipeline Viewer (view only)
Resource Types: PIPELINE, SERVICE, ENVIRONMENT, CONNECTOR, SECRET, INFRASTRUCTURE
Custom Role Example:
role: name: Deployment Manager permissions: - resourceType: PIPELINE actions: [core_pipeline_view, core_pipeline_execute] - resourceType: SERVICE actions: [core_service_view, core_service_access] - resourceType: ENVIRONMENT actions: [core_environment_view, core_environment_access]
User Groups & Role Binding:
-
Create groups by team/function
-
Bind roles to groups with resource groups
-
Support SAML/SSO integration
-
Service accounts for automation with API keys (90-day default expiry)
Connectors
Cloud Connectors:
-
AWS: ManualConfig (access/secret key) or IRSA (recommended for EKS)
-
GCP: Service account key
-
Azure: App ID, Tenant ID, Client Secret
Kubernetes:
-
Manual: Master URL + Service Account token
-
In-cluster: InheritFromDelegate (simplest)
Container Registries: Docker Hub, ECR, GCR, ACR
Test Connector:
curl -X POST "https://app.harness.io/gateway/ng/api/connectors/testConnection/${CONNECTOR_ID}"
-H "x-api-key: ${HARNESS_API_KEY}"
-d '{"accountIdentifier":"...", "orgIdentifier":"...", "projectIdentifier":"..."}'
Secrets Management
Secret Managers: Harness Built-in (Google KMS), HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault
Vault Connector:
connector: type: Vault spec: vaultUrl: https://vault.company.com basePath: harness authToken: <+secrets.getValue("vault_root_token")> renewalIntervalMinutes: 60 secretEngineVersion: 2
Secret References:
-
Harness: <+secrets.getValue("my_secret")>
-
Vault: <+secrets.getValue("vault://secret/data/myapp#api_key")>
-
AWS SM: <+secrets.getValue("awsSecretsManager://prod/database")>
Templates
Types: Step, Stage, Pipeline, StepGroup (reusable across pipelines)
Step Template Example:
template:
name: Notify Slack
type: Step
spec:
type: ShellScript
spec:
shell: Bash
script: |
curl -X POST $SLACK_WEBHOOK
-H 'Content-Type: application/json'
-d '{"text":"<+input>"}'
Using Templates in Pipeline:
template: templateRef: standard_k8s_deploy versionLabel: "1.0.0" templateInputs: spec: service: serviceRef: my_service environment: environmentRef: production
Policy as Code (OPA)
Policy Structure (Rego):
package pipeline
Deny production deploys without approval
deny[msg] { some stage in input.pipeline.stages stage.stage.spec.environment.environmentRef == "production" not has_approval_step(input.pipeline) msg := "Production requires approval step" }
Require delegate selectors
deny[msg] { some stage in input.pipeline.stages stage.stage.spec.environment.environmentRef == "production" not stage.stage.spec.infrastructure.spec.delegateSelectors msg := "Production must specify delegate selectors" }
Policy Set Configuration:
policySet: name: Production Governance policySetType: Pipeline policies: - policyRef: require_approval severity: error - policyRef: require_delegate_selectors severity: error entitySelector: - type: PIPELINE filter: - key: projectIdentifier value: production_project
Evaluation Points: On Save, On Run
Audit Logs
Query Logs:
curl -X POST "https://app.harness.io/gateway/ng/api/audits/list"
-H "x-api-key: ${HARNESS_API_KEY}"
-d '{"accountIdentifier":"...", "pageIndex":0, "pageSize":20}'
Event Types: CREATE, UPDATE, DELETE, LOGIN, PIPELINE_START, PIPELINE_END
API Reference
Authentication:
API Key
curl -H "x-api-key: ${HARNESS_API_KEY}"
Bearer Token
curl -H "Authorization: Bearer ${TOKEN}"
Common Endpoints:
-
Users: GET /ng/api/user/users
-
User Groups: GET /ng/api/user-groups
-
Roles: GET /ng/api/roles
-
Resource Groups: GET /ng/api/resourcegroup
-
Connectors: GET /ng/api/connectors
-
Secrets: GET /ng/api/v2/secrets
-
Delegates: GET /ng/api/delegate-token-ng
-
Templates: GET /template/api/templates
-
Audit Logs: POST /ng/api/audits/list
Create Project:
curl -X POST "https://app.harness.io/gateway/ng/api/projects"
-H "x-api-key: ${HARNESS_API_KEY}"
-d '{"project":{"name":"My Project","identifier":"my_project","orgIdentifier":"default"}}'
Best Practices
Delegate Management:
-
Deploy 2+ replicas for HA
-
Resource sizing: 2GB RAM, 0.5 CPU minimum
-
Use meaningful tags for routing
-
Enable auto-upgrade
-
Monitor and export metrics
Security:
-
Least privilege RBAC
-
Use external secret managers with rotation
-
Service accounts for automation
-
Regular audit log review
-
OPA for governance enforcement
Organization:
-
Logical org/project hierarchy
-
Consistent naming conventions
-
Reuse templates across projects
-
Document all resources
Related Documentation
-
Harness Docs
-
Delegate Guide
-
RBAC Guide
-
Connectors
-
Secrets
-
Templates
-
Governance