Set the config toml according to the runAsNonRoot property (!414) · Merge requests · GitLab.org / charts / GitLab Runner

Romuald Atchadé requested to merge set-config-path into main Jul 06, 2023

What does this MR do?

When installing GitLab Runner using the Helm Chart as root gitlab-runner starts using the config at the path /.gitlab-runner/config.toml while all the changes are made in /home/gitlab-runner/.gitlab-runner/config.toml

With this MR, the .Values.securityContext.runAsNonRoot is taken in account when set the config.toml path/directory

securityContext:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  runAsNonRoot: false
  privileged: true

Why was this MR needed?

Use the config set when installing as root

What's the best way to test this MR?

values.yaml (making used of gitlab-runner secret for the runner token

image:
  registry: registry.gitlab.com
  image: gitlab-org/gitlab-runner
  tag: alpine-v16.0.2
useTini: false
imagePullPolicy: Always
gitlabUrl: https://gitlab.com
terminationGracePeriodSeconds: 3600
concurrent: 10
checkInterval: 30
logLevel: debug
sessionServer:
  enabled: false
rbac:
  create: true
  rules: []
  clusterWideAccess: false
  podSecurityPolicy:
    enabled: false
    resourceNames:
    - gitlab-runner
metrics:
  enabled: false
  portName: metrics
  port: 9252
  serviceMonitor:
    enabled: false
service:
  enabled: false
  type: NodePort
runners:
  config: |
    [[runners]]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "ubuntu:16.04"
  secret: gitlab-runner-secret
securityContext:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  runAsNonRoot: false
  privileged: true
  # capabilities:
  #   drop: ["ALL"]
podSecurityContext:
  runAsUser: 100
  runAsGroup: 100
resources: {}
affinity: {}
nodeSelector: {}
tolerations: []
hostAliases: []
podAnnotations: {}
podLabels: {}
priorityClassName: ""
secrets: []
configMaps: {}
volumeMounts:
- name: root-gitlab-runner
  mountPath: /.gitlab-runner
volumes:
- name: root-gitlab-runner
  emptyDir:
    medium: "Memory"

Main branch of GitLab Runner Helm Chart Project

Install GitLab Runner using the main branch of GitLab Runner Helm Chart project

helm install gitlab-runner . -f PATH_TO_YOUR_VALUE_YAML

SSH to the GitLab Runner Manager pod and display the config.toml content

Registration attempt 1 of 30
Runtime platform                                    arch=amd64 os=linux pid=13 revision=85586bd1 version=16.0.2
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...

Created missing unique system ID                    system_id=r_xxxx
Merging configuration from template file "/configmaps/config.template.toml"
Verifying runner... is valid                        runner=xxx
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

Configuration (with the authentication token) was saved in "/.gitlab-runner/config.toml"
Runtime platform                                    arch=amd64 os=linux pid=6 revision=85586bd1 version=16.0.2
Starting multi-runner from /.gitlab-runner/config.toml...  builds=0
WARNING: Running in user-mode.
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...

config.toml

concurrent = 1
check_interval = 0
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "REDACTED"
  url = "https://gitlab.com"
  id = 24996246
  token = "REDACTED"
  token_obtained_at = 2023-07-06T20:50:56Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "kubernetes"
  [runners.cache]
    MaxUploadedArchiveSize = 0
  [runners.kubernetes]
    host = ""
    bearer_token_overwrite_allowed = false
    image = "ubuntu:16.04"
    namespace = "default"
    namespace_overwrite_allowed = ""
    node_selector_overwrite_allowed = ""
    pod_labels_overwrite_allowed = ""
    service_account_overwrite_allowed = ""
    pod_annotations_overwrite_allowed = ""
    [runners.kubernetes.pod_security_context]
    [runners.kubernetes.init_permissions_container_security_context]
    [runners.kubernetes.build_container_security_context]
    [runners.kubernetes.helper_container_security_context]
    [runners.kubernetes.service_container_security_context]
    [runners.kubernetes.volumes]
    [runners.kubernetes.dns_config]

The config.toml doesn't reflect the values.yaml config (e.g. log_level not set to debug)

MR branch

Install GitLab Runner using the main branch of GitLab Runner Helm Chart project

helm install gitlab-runner . -f PATH_TO_YOUR_VALUE_YAML

SSH to the GitLab Runner Manager pod and display the config.toml content

Registration attempt 1 of 30
Runtime platform                                    arch=amd64 os=linux pid=13 revision=85586bd1 version=16.0.2
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...

Created missing unique system ID                    system_id=r_xxxx
Merging configuration from template file "/configmaps/config.template.toml"
Verifying runner... is valid                        runner=xxx
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

Configuration (with the authentication token) was saved in "/.gitlab-runner/config.toml"
Runtime platform                                    arch=amd64 os=linux pid=6 revision=85586bd1 version=16.0.2
Starting multi-runner from /.gitlab-runner/config.toml...  builds=0
WARNING: Running in user-mode.
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...

config.toml

concurrent = 10
check_interval = 30
log_level = "debug"
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  name = "REDACTED"
  url = "https://gitlab.com"
  id = 24996246
  token = "REDACTED"
  token_obtained_at = 2023-07-06T20:45:49Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "kubernetes"
  [runners.cache]
    MaxUploadedArchiveSize = 0
  [runners.kubernetes]
    host = ""
    bearer_token_overwrite_allowed = false
    image = "ubuntu:16.04"
    namespace = "default"
    namespace_overwrite_allowed = ""
    node_selector_overwrite_allowed = ""
    pod_labels_overwrite_allowed = ""
    service_account_overwrite_allowed = ""
    pod_annotations_overwrite_allowed = ""
    [runners.kubernetes.pod_security_context]
    [runners.kubernetes.init_permissions_container_security_context]
    [runners.kubernetes.build_container_security_context]
    [runners.kubernetes.helper_container_security_context]
    [runners.kubernetes.service_container_security_context]
    [runners.kubernetes.volumes]
    [runners.kubernetes.dns_config]

The config.toml reflects the values.yaml config (e.g. log_level not set to debug)

What are the relevant issue numbers?

Edited Jul 06, 2023 by Romuald Atchadé

Set the config toml according to the runAsNonRoot property