Permission errors when using Kube attach and non-root user
Summary
I am using the gitlab-runner Helm chart to deploy a runner to K8s. The executor is configured to run as a non-root user, and FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY
is set to false (use attach instead of exec).
I am using the 13.4.0 runner.
Relevant sections in my values.yaml are:
pod_security_context:
run_as_non_root: true
run_as_user: 65000
run_as_group: 65000
fs_group: 65000
supplemental_groups: [412]
serviceAccountName: gitlab-executor
env:
FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: false
Under this configuration, I encounter multiple permission errors:
- Permission denied when running
chmod -R 777 s.logsDir()
in thechange-logs-permissions
init container - Permission denied when trying to create
s.Build.FullProjectDir()
- Permission denied when trying to create
CI_SERVER_TLS_CA_FILE
in the temporary directory (s.Build.TmpProjectDir())
Steps to reproduce
Create a Kubernetes gitlab-runner via Helm with the values.yaml configuration listed above. Replace the 65000
ID values with the user and group ID of a non-root user.
Actual behavior
Encounter permission denied errors (see above).
Expected behavior
No permission errors.
Relevant logs and/or screenshots
See above.
Environment description
See above.
Used GitLab Runner version
13.4.0
Possible fixes
I will be creating a MR with a proposed fix.
Related MR: !2236 (merged)
@ggeorgiev_