harness-platform
SKILL.md
Harness Platform Administration Skill
Comprehensive Harness Platform administration for delegates, RBAC, connectors, secrets, templates, OPA policies, and governance.
Platform Hierarchy
Account (Root)
├── Organization
│ ├── Project
│ │ ├── Pipelines, Services, Environments
│ │ ├── Connectors (project-level)
│ │ └── Secrets (project-level)
│ ├── Connectors (org-level)
│ └── Secrets (org-level)
├── Delegates
├── Secrets (account-level)
└── User Management
Harness Delegates
Types: Kubernetes (Helm, YAML), Docker, Shell, ECS
Kubernetes Helm Install:
helm repo add harness-delegate https://app.harness.io/storage/harness-download/delegate-helm-chart/
helm install harness-delegate harness-delegate/harness-delegate-ng \
--namespace harness-delegate --create-namespace \
--set accountId="${HARNESS_ACCOUNT_ID}" \
--set delegateToken="${DELEGATE_TOKEN}" \
--set delegateName="prod-delegate" \
--set replicas=2
Delegate Selectors: Route tasks to specific delegates with labels (e.g., production, aws, k8s)
Troubleshooting:
kubectl get pods -n harness-delegate
kubectl logs -n harness-delegate -l app=harness-delegate --tail=100
kubectl exec deployment/harness-delegate -n harness-delegate -- curl -s localhost:8080/api/health
RBAC (Role-Based Access Control)
Built-in Roles:
- Account Admin (full access)
- Account Viewer (read-only)
- Organization Admin (org-level)
- Project Admin (project-level)
- Pipeline Executor (execute only)
- Pipeline Viewer (view only)
Resource Types: PIPELINE, SERVICE, ENVIRONMENT, CONNECTOR, SECRET, INFRASTRUCTURE
Custom Role Example:
role:
name: Deployment Manager
permissions:
- resourceType: PIPELINE
actions: [core_pipeline_view, core_pipeline_execute]
- resourceType: SERVICE
actions: [core_service_view, core_service_access]
- resourceType: ENVIRONMENT
actions: [core_environment_view, core_environment_access]
User Groups & Role Binding:
- Create groups by team/function
- Bind roles to groups with resource groups
- Support SAML/SSO integration
- Service accounts for automation with API keys (90-day default expiry)
Connectors
Cloud Connectors:
- AWS: ManualConfig (access/secret key) or IRSA (recommended for EKS)
- GCP: Service account key
- Azure: App ID, Tenant ID, Client Secret
Kubernetes:
- Manual: Master URL + Service Account token
- In-cluster: InheritFromDelegate (simplest)
Container Registries: Docker Hub, ECR, GCR, ACR
Test Connector:
curl -X POST "https://app.harness.io/gateway/ng/api/connectors/testConnection/${CONNECTOR_ID}" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "orgIdentifier":"...", "projectIdentifier":"..."}'
Secrets Management
Secret Managers: Harness Built-in (Google KMS), HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault
Vault Connector:
connector:
type: Vault
spec:
vaultUrl: https://vault.company.com
basePath: harness
authToken: <+secrets.getValue("vault_root_token")>
renewalIntervalMinutes: 60
secretEngineVersion: 2
Secret References:
- Harness:
<+secrets.getValue("my_secret")> - Vault:
<+secrets.getValue("vault://secret/data/myapp#api_key")> - AWS SM:
<+secrets.getValue("awsSecretsManager://prod/database")>
Templates
Types: Step, Stage, Pipeline, StepGroup (reusable across pipelines)
Step Template Example:
template:
name: Notify Slack
type: Step
spec:
type: ShellScript
spec:
shell: Bash
script: |
curl -X POST $SLACK_WEBHOOK \
-H 'Content-Type: application/json' \
-d '{"text":"<+input>"}'
Using Templates in Pipeline:
template:
templateRef: standard_k8s_deploy
versionLabel: "1.0.0"
templateInputs:
spec:
service:
serviceRef: my_service
environment:
environmentRef: production
Policy as Code (OPA)
Policy Structure (Rego):
package pipeline
# Deny production deploys without approval
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not has_approval_step(input.pipeline)
msg := "Production requires approval step"
}
# Require delegate selectors
deny[msg] {
some stage in input.pipeline.stages
stage.stage.spec.environment.environmentRef == "production"
not stage.stage.spec.infrastructure.spec.delegateSelectors
msg := "Production must specify delegate selectors"
}
Policy Set Configuration:
policySet:
name: Production Governance
policySetType: Pipeline
policies:
- policyRef: require_approval
severity: error
- policyRef: require_delegate_selectors
severity: error
entitySelector:
- type: PIPELINE
filter:
- key: projectIdentifier
value: production_project
Evaluation Points: On Save, On Run
Audit Logs
Query Logs:
curl -X POST "https://app.harness.io/gateway/ng/api/audits/list" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"accountIdentifier":"...", "pageIndex":0, "pageSize":20}'
Event Types: CREATE, UPDATE, DELETE, LOGIN, PIPELINE_START, PIPELINE_END
API Reference
Authentication:
# API Key
curl -H "x-api-key: ${HARNESS_API_KEY}"
# Bearer Token
curl -H "Authorization: Bearer ${TOKEN}"
Common Endpoints:
- Users:
GET /ng/api/user/users - User Groups:
GET /ng/api/user-groups - Roles:
GET /ng/api/roles - Resource Groups:
GET /ng/api/resourcegroup - Connectors:
GET /ng/api/connectors - Secrets:
GET /ng/api/v2/secrets - Delegates:
GET /ng/api/delegate-token-ng - Templates:
GET /template/api/templates - Audit Logs:
POST /ng/api/audits/list
Create Project:
curl -X POST "https://app.harness.io/gateway/ng/api/projects" \
-H "x-api-key: ${HARNESS_API_KEY}" \
-d '{"project":{"name":"My Project","identifier":"my_project","orgIdentifier":"default"}}'
Best Practices
Delegate Management:
- Deploy 2+ replicas for HA
- Resource sizing: 2GB RAM, 0.5 CPU minimum
- Use meaningful tags for routing
- Enable auto-upgrade
- Monitor and export metrics
Security:
- Least privilege RBAC
- Use external secret managers with rotation
- Service accounts for automation
- Regular audit log review
- OPA for governance enforcement
Organization:
- Logical org/project hierarchy
- Consistent naming conventions
- Reuse templates across projects
- Document all resources
Related Documentation
Weekly Installs
4
Repository
lobbi-docs/claudeGitHub Stars
9
First Seen
Feb 27, 2026
Security Audits
Installed on
opencode4
gemini-cli4
codebuddy4
github-copilot4
codex4
kimi-cli4