Skip to content

Permission errors when using Kube attach and non-root user

Summary

I am using the gitlab-runner Helm chart to deploy a runner to K8s. The executor is configured to run as a non-root user, and FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY is set to false (use attach instead of exec).

I am using the 13.4.0 runner.

Relevant sections in my values.yaml are:

 pod_security_context:
    run_as_non_root: true
    run_as_user: 65000
    run_as_group: 65000
    fs_group: 65000
    supplemental_groups: [412]
  serviceAccountName: gitlab-executor
  env:
    FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: false

Under this configuration, I encounter multiple permission errors:

  1. Permission denied when running chmod -R 777 s.logsDir() in the change-logs-permissions init container
  2. Permission denied when trying to create s.Build.FullProjectDir()
  3. Permission denied when trying to create CI_SERVER_TLS_CA_FILE in the temporary directory (s.Build.TmpProjectDir())

Steps to reproduce

Create a Kubernetes gitlab-runner via Helm with the values.yaml configuration listed above. Replace the 65000 ID values with the user and group ID of a non-root user.

Actual behavior

Encounter permission denied errors (see above).

Expected behavior

No permission errors.

Relevant logs and/or screenshots

See above.

Environment description

See above.

Used GitLab Runner version

13.4.0

Possible fixes

I will be creating a MR with a proposed fix.

Related MR: !2236 (merged)

@ggeorgiev_