Set the config toml according to the runAsNonRoot property
What does this MR do?
When installing GitLab Runner using the Helm Chart as root gitlab-runner
starts using the config at the path /.gitlab-runner/config.toml
while all the changes are made in /home/gitlab-runner/.gitlab-runner/config.toml
With this MR, the .Values.securityContext.runAsNonRoot
is taken in account when set the config.toml path/directory
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
privileged: true
Why was this MR needed?
Use the config set when installing as root
What's the best way to test this MR?
values.yaml (making used of gitlab-runner secret for the runner token
image:
registry: registry.gitlab.com
image: gitlab-org/gitlab-runner
tag: alpine-v16.0.2
useTini: false
imagePullPolicy: Always
gitlabUrl: https://gitlab.com
terminationGracePeriodSeconds: 3600
concurrent: 10
checkInterval: 30
logLevel: debug
sessionServer:
enabled: false
rbac:
create: true
rules: []
clusterWideAccess: false
podSecurityPolicy:
enabled: false
resourceNames:
- gitlab-runner
metrics:
enabled: false
portName: metrics
port: 9252
serviceMonitor:
enabled: false
service:
enabled: false
type: NodePort
runners:
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{.Release.Namespace}}"
image = "ubuntu:16.04"
secret: gitlab-runner-secret
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
privileged: true
# capabilities:
# drop: ["ALL"]
podSecurityContext:
runAsUser: 100
runAsGroup: 100
resources: {}
affinity: {}
nodeSelector: {}
tolerations: []
hostAliases: []
podAnnotations: {}
podLabels: {}
priorityClassName: ""
secrets: []
configMaps: {}
volumeMounts:
- name: root-gitlab-runner
mountPath: /.gitlab-runner
volumes:
- name: root-gitlab-runner
emptyDir:
medium: "Memory"
Main branch of GitLab Runner Helm Chart Project
- Install GitLab Runner using the main branch of GitLab Runner Helm Chart project
helm install gitlab-runner . -f PATH_TO_YOUR_VALUE_YAML
- SSH to the GitLab Runner Manager pod and display the config.toml content
Registration attempt 1 of 30
Runtime platform arch=amd64 os=linux pid=13 revision=85586bd1 version=16.0.2
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Created missing unique system ID system_id=r_xxxx
Merging configuration from template file "/configmaps/config.template.toml"
Verifying runner... is valid runner=xxx
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
Configuration (with the authentication token) was saved in "/.gitlab-runner/config.toml"
Runtime platform arch=amd64 os=linux pid=6 revision=85586bd1 version=16.0.2
Starting multi-runner from /.gitlab-runner/config.toml... builds=0
WARNING: Running in user-mode.
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
config.toml
concurrent = 1
check_interval = 0
shutdown_timeout = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "REDACTED"
url = "https://gitlab.com"
id = 24996246
token = "REDACTED"
token_obtained_at = 2023-07-06T20:50:56Z
token_expires_at = 0001-01-01T00:00:00Z
executor = "kubernetes"
[runners.cache]
MaxUploadedArchiveSize = 0
[runners.kubernetes]
host = ""
bearer_token_overwrite_allowed = false
image = "ubuntu:16.04"
namespace = "default"
namespace_overwrite_allowed = ""
node_selector_overwrite_allowed = ""
pod_labels_overwrite_allowed = ""
service_account_overwrite_allowed = ""
pod_annotations_overwrite_allowed = ""
[runners.kubernetes.pod_security_context]
[runners.kubernetes.init_permissions_container_security_context]
[runners.kubernetes.build_container_security_context]
[runners.kubernetes.helper_container_security_context]
[runners.kubernetes.service_container_security_context]
[runners.kubernetes.volumes]
[runners.kubernetes.dns_config]
- The config.toml doesn't reflect the
values.yaml
config (e.g. log_level not set todebug
)
MR branch
- Install GitLab Runner using the main branch of GitLab Runner Helm Chart project
helm install gitlab-runner . -f PATH_TO_YOUR_VALUE_YAML
- SSH to the GitLab Runner Manager pod and display the config.toml content
Registration attempt 1 of 30
Runtime platform arch=amd64 os=linux pid=13 revision=85586bd1 version=16.0.2
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Created missing unique system ID system_id=r_xxxx
Merging configuration from template file "/configmaps/config.template.toml"
Verifying runner... is valid runner=xxx
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
Configuration (with the authentication token) was saved in "/.gitlab-runner/config.toml"
Runtime platform arch=amd64 os=linux pid=6 revision=85586bd1 version=16.0.2
Starting multi-runner from /.gitlab-runner/config.toml... builds=0
WARNING: Running in user-mode.
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
config.toml
concurrent = 10
check_interval = 30
log_level = "debug"
shutdown_timeout = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "REDACTED"
url = "https://gitlab.com"
id = 24996246
token = "REDACTED"
token_obtained_at = 2023-07-06T20:45:49Z
token_expires_at = 0001-01-01T00:00:00Z
executor = "kubernetes"
[runners.cache]
MaxUploadedArchiveSize = 0
[runners.kubernetes]
host = ""
bearer_token_overwrite_allowed = false
image = "ubuntu:16.04"
namespace = "default"
namespace_overwrite_allowed = ""
node_selector_overwrite_allowed = ""
pod_labels_overwrite_allowed = ""
service_account_overwrite_allowed = ""
pod_annotations_overwrite_allowed = ""
[runners.kubernetes.pod_security_context]
[runners.kubernetes.init_permissions_container_security_context]
[runners.kubernetes.build_container_security_context]
[runners.kubernetes.helper_container_security_context]
[runners.kubernetes.service_container_security_context]
[runners.kubernetes.volumes]
[runners.kubernetes.dns_config]
- The config.toml reflects the
values.yaml
config (e.g. log_level not set todebug
)
What are the relevant issue numbers?
Edited by Romuald Atchadé