Harness Platform Administration Skill
Comprehensive Harness Platform administration for delegates, RBAC, connectors, secrets, templates, OPA policies, and governance.
Platform Hierarchy
Account (Root) ├── Organization │ ├── Project │ │ ├── Pipelines, Services, Environments │ │ ├── Connectors (project-level) │ │ └── Secrets (project-level) │ ├── Connectors (org-level) │ └── Secrets (org-level) ├── Delegates ├── Secrets (account-level) └── User Management
Harness Delegates
Types: Kubernetes (Helm, YAML), Docker, Shell, ECS
Kubernetes Helm Install:
helm repo add harness-delegate https://app.harness.io/storage/harness-download/delegate-helm-chart/
helm install harness-delegate harness-delegate/harness-delegate-ng \
--namespace harness-delegate --create-namespace \
--set accountId="${HARNESS_ACCOUNT_ID}" \
--set delegateToken="${DELEGATE_TOKEN}" \
--set delegateName="prod-delegate" \
--set replicas=2
Delegate Selectors: Route tasks to specific delegates with labels (e.g., production, aws, k8s)
Troubleshooting:
kubectl get pods -n harness-delegate kubectl logs -n harness-delegate -l app=harness-delegate --tail=100 kubectl exec deployment/harness-delegate -n harness-delegate -- curl -s localhost:8080/api/health
RBAC (Role-Based Access Control)
Built-in Roles:
- •Account Admin (full access)
- •Account Viewer (read-only)
- •Organization Admin (org-level)
- •Project Admin (project-level)
- •Pipeline Executor (execute only)
- •Pipeline Viewer (view only)
Resource Types: PIPELINE, SERVICE, ENVIRONMENT, CONNECTOR, SECRET, INFRASTRUCTURE
Custom Role Example:
role:
name: Deployment Manager
permissions:
- resourceType: PIPELINE
actions: [core_pipeline_view, core_pipeline_execute]
- resourceType: SERVICE
actions: [core_service_view, core_service_access]
- resourceType: ENVIRONMENT
actions: [core_environment_view, core_environment_access]
User Groups & Role Binding:
- •Create groups by team/function
- •Bind roles to groups with resource groups
- •Support SAML/SSO integration
- •Service accounts for automation with API keys (90-day default expiry)
Connectors
Cloud Connectors:
- •AWS: ManualConfig (access/secret key) or IRSA (recommended for EKS)
- •GCP: Service account key
- •Azure: App ID, Tenant ID, Client Secret
Kubernetes:
- •Manual: Master URL + Service Account token
- •In-cluster: InheritFromDelegate (simplest)
Container Registries: Docker Hub, ECR, GCR, ACR
Test Connector:
curl -X POST "https://app.harness.io/gateway/ng/api/connectors/testConnection/${CONNECTOR_ID}" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "orgIdentifier":"...", "projectIdentifier":"..."}'
Secrets Management
Secret Managers: Harness Built-in (Google KMS), HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault
Vault Connector:
connector:
type: Vault
spec:
vaultUrl: https://vault.company.com
basePath: harness
authToken: <+secrets.getValue("vault_root_token")>
renewalIntervalMinutes: 60
secretEngineVersion: 2
Secret References:
- •Harness:
<+secrets.getValue("my_secret")> - •Vault:
<+secrets.getValue("vault://secret/data/myapp#api_key")> - •AWS SM:
<+secrets.getValue("awsSecretsManager://prod/database")>
Templates
Types: Step, Stage, Pipeline, StepGroup (reusable across pipelines)
Step Template Example:
template:
name: Notify Slack
type: Step
spec:
type: ShellScript
spec:
shell: Bash
script: |
curl -X POST $SLACK_WEBHOOK \
-H 'Content-Type: application/json' \
-d '{"text":"<+input>"}'
Using Templates in Pipeline:
template:
templateRef: standard_k8s_deploy
versionLabel: "1.0.0"
templateInputs:
spec:
service:
serviceRef: my_service
environment:
environmentRef: production
Policy as Code (OPA)
Policy Structure (Rego):
package pipeline
# Deny production deploys without approval
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not has_approval_step(input.pipeline)
msg := "Production requires approval step"
}
# Require delegate selectors
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not stage.stage.spec.infrastructure.spec.delegateSelectors
msg := "Production must specify delegate selectors"
}
Policy Set Configuration:
policySet:
name: Production Governance
policySetType: Pipeline
policies:
- policyRef: require_approval
severity: error
- policyRef: require_delegate_selectors
severity: error
entitySelector:
- type: PIPELINE
filter:
- key: projectIdentifier
value: production_project
Evaluation Points: On Save, On Run
Audit Logs
Query Logs:
curl -X POST "https://app.harness.io/gateway/ng/api/audits/list" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "pageIndex":0, "pageSize":20}'
Event Types: CREATE, UPDATE, DELETE, LOGIN, PIPELINE_START, PIPELINE_END
API Reference
Authentication:
# API Key
curl -H "x-api-key: ${HARNESS_API_KEY}"
# Bearer Token
curl -H "Authorization: Bearer ${TOKEN}"
Common Endpoints:
- •Users:
GET /ng/api/user/users - •User Groups:
GET /ng/api/user-groups - •Roles:
GET /ng/api/roles - •Resource Groups:
GET /ng/api/resourcegroup - •Connectors:
GET /ng/api/connectors - •Secrets:
GET /ng/api/v2/secrets - •Delegates:
GET /ng/api/delegate-token-ng - •Templates:
GET /template/api/templates - •Audit Logs:
POST /ng/api/audits/list
Create Project:
curl -X POST "https://app.harness.io/gateway/ng/api/projects" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"project":{"name":"My Project","identifier":"my_project","orgIdentifier":"default"}}'
Best Practices
Delegate Management:
- •Deploy 2+ replicas for HA
- •Resource sizing: 2GB RAM, 0.5 CPU minimum
- •Use meaningful tags for routing
- •Enable auto-upgrade
- •Monitor and export metrics
Security:
- •Least privilege RBAC
- •Use external secret managers with rotation
- •Service accounts for automation
- •Regular audit log review
- •OPA for governance enforcement
Organization:
- •Logical org/project hierarchy
- •Consistent naming conventions
- •Reuse templates across projects
- •Document all resources