Claude Code Plugins

Community-maintained marketplace

Feedback

harness-platform

@Lobbi-Docs/claude
0
0

Harness Platform administration including delegates, RBAC, connectors, secrets, templates, policy as code (OPA), user management, audit logs, and governance

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name harness-platform
description Harness Platform administration including delegates, RBAC, connectors, secrets, templates, policy as code (OPA), user management, audit logs, and governance
allowed-tools Bash, Read, Write, Edit, Glob, Grep, Task, WebFetch, WebSearch
dependencies harness-mcp, harness-cd, harness-ci
triggers harness delegate, harness rbac, harness connector, harness secret, harness template, harness policy, harness opa, harness user, harness admin

Harness Platform Administration Skill

Comprehensive Harness Platform administration for delegates, RBAC, connectors, secrets, templates, OPA policies, and governance.

Platform Hierarchy

Account (Root)
├── Organization
│   ├── Project
│   │   ├── Pipelines, Services, Environments
│   │   ├── Connectors (project-level)
│   │   └── Secrets (project-level)
│   ├── Connectors (org-level)
│   └── Secrets (org-level)
├── Delegates
├── Secrets (account-level)
└── User Management

Harness Delegates

Types: Kubernetes (Helm, YAML), Docker, Shell, ECS

Kubernetes Helm Install:

helm repo add harness-delegate https://app.harness.io/storage/harness-download/delegate-helm-chart/
helm install harness-delegate harness-delegate/harness-delegate-ng \
  --namespace harness-delegate --create-namespace \
  --set accountId="${HARNESS_ACCOUNT_ID}" \
  --set delegateToken="${DELEGATE_TOKEN}" \
  --set delegateName="prod-delegate" \
  --set replicas=2

Delegate Selectors: Route tasks to specific delegates with labels (e.g., production, aws, k8s)

Troubleshooting:

kubectl get pods -n harness-delegate
kubectl logs -n harness-delegate -l app=harness-delegate --tail=100
kubectl exec deployment/harness-delegate -n harness-delegate -- curl -s localhost:8080/api/health

RBAC (Role-Based Access Control)

Built-in Roles:

  • Account Admin (full access)
  • Account Viewer (read-only)
  • Organization Admin (org-level)
  • Project Admin (project-level)
  • Pipeline Executor (execute only)
  • Pipeline Viewer (view only)

Resource Types: PIPELINE, SERVICE, ENVIRONMENT, CONNECTOR, SECRET, INFRASTRUCTURE

Custom Role Example:

role:
  name: Deployment Manager
  permissions:
    - resourceType: PIPELINE
      actions: [core_pipeline_view, core_pipeline_execute]
    - resourceType: SERVICE
      actions: [core_service_view, core_service_access]
    - resourceType: ENVIRONMENT
      actions: [core_environment_view, core_environment_access]

User Groups & Role Binding:

  • Create groups by team/function
  • Bind roles to groups with resource groups
  • Support SAML/SSO integration
  • Service accounts for automation with API keys (90-day default expiry)

Connectors

Cloud Connectors:

  • AWS: ManualConfig (access/secret key) or IRSA (recommended for EKS)
  • GCP: Service account key
  • Azure: App ID, Tenant ID, Client Secret

Kubernetes:

  • Manual: Master URL + Service Account token
  • In-cluster: InheritFromDelegate (simplest)

Container Registries: Docker Hub, ECR, GCR, ACR

Test Connector:

curl -X POST "https://app.harness.io/gateway/ng/api/connectors/testConnection/${CONNECTOR_ID}" \
  -H "x-api-key: ${HARNESS_API_KEY}" \
  -d '{"accountIdentifier":"...", "orgIdentifier":"...", "projectIdentifier":"..."}'

Secrets Management

Secret Managers: Harness Built-in (Google KMS), HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault

Vault Connector:

connector:
  type: Vault
  spec:
    vaultUrl: https://vault.company.com
    basePath: harness
    authToken: <+secrets.getValue("vault_root_token")>
    renewalIntervalMinutes: 60
    secretEngineVersion: 2

Secret References:

  • Harness: <+secrets.getValue("my_secret")>
  • Vault: <+secrets.getValue("vault://secret/data/myapp#api_key")>
  • AWS SM: <+secrets.getValue("awsSecretsManager://prod/database")>

Templates

Types: Step, Stage, Pipeline, StepGroup (reusable across pipelines)

Step Template Example:

template:
  name: Notify Slack
  type: Step
  spec:
    type: ShellScript
    spec:
      shell: Bash
      script: |
        curl -X POST $SLACK_WEBHOOK \
          -H 'Content-Type: application/json' \
          -d '{"text":"<+input>"}'

Using Templates in Pipeline:

template:
  templateRef: standard_k8s_deploy
  versionLabel: "1.0.0"
  templateInputs:
    spec:
      service:
        serviceRef: my_service
      environment:
        environmentRef: production

Policy as Code (OPA)

Policy Structure (Rego):

package pipeline

# Deny production deploys without approval
deny[msg] {
    some stage in input.pipeline.stages
    stage.stage.spec.environment.environmentRef == "production"
    not has_approval_step(input.pipeline)
    msg := "Production requires approval step"
}

# Require delegate selectors
deny[msg] {
    some stage in input.pipeline.stages
    stage.stage.spec.environment.environmentRef == "production"
    not stage.stage.spec.infrastructure.spec.delegateSelectors
    msg := "Production must specify delegate selectors"
}

Policy Set Configuration:

policySet:
  name: Production Governance
  policySetType: Pipeline
  policies:
    - policyRef: require_approval
      severity: error
    - policyRef: require_delegate_selectors
      severity: error
  entitySelector:
    - type: PIPELINE
      filter:
        - key: projectIdentifier
          value: production_project

Evaluation Points: On Save, On Run

Audit Logs

Query Logs:

curl -X POST "https://app.harness.io/gateway/ng/api/audits/list" \
  -H "x-api-key: ${HARNESS_API_KEY}" \
  -d '{"accountIdentifier":"...", "pageIndex":0, "pageSize":20}'

Event Types: CREATE, UPDATE, DELETE, LOGIN, PIPELINE_START, PIPELINE_END

API Reference

Authentication:

# API Key
curl -H "x-api-key: ${HARNESS_API_KEY}"

# Bearer Token
curl -H "Authorization: Bearer ${TOKEN}"

Common Endpoints:

  • Users: GET /ng/api/user/users
  • User Groups: GET /ng/api/user-groups
  • Roles: GET /ng/api/roles
  • Resource Groups: GET /ng/api/resourcegroup
  • Connectors: GET /ng/api/connectors
  • Secrets: GET /ng/api/v2/secrets
  • Delegates: GET /ng/api/delegate-token-ng
  • Templates: GET /template/api/templates
  • Audit Logs: POST /ng/api/audits/list

Create Project:

curl -X POST "https://app.harness.io/gateway/ng/api/projects" \
  -H "x-api-key: ${HARNESS_API_KEY}" \
  -d '{"project":{"name":"My Project","identifier":"my_project","orgIdentifier":"default"}}'

Best Practices

Delegate Management:

  1. Deploy 2+ replicas for HA
  2. Resource sizing: 2GB RAM, 0.5 CPU minimum
  3. Use meaningful tags for routing
  4. Enable auto-upgrade
  5. Monitor and export metrics

Security:

  1. Least privilege RBAC
  2. Use external secret managers with rotation
  3. Service accounts for automation
  4. Regular audit log review
  5. OPA for governance enforcement

Organization:

  1. Logical org/project hierarchy
  2. Consistent naming conventions
  3. Reuse templates across projects
  4. Document all resources

Related Documentation