Dynamically create PVC volumes with storage classes for kubernetes
Status update (2024-04-15)
Implementation of this feature is blocked as the current solution introduces a security and other risks to the integrity of a CI job. The two issues are:
-
Sanitization of the input: We don't want users to be able to inject additional yaml/json to set fields that administrators were not intending.
-
Variables cannot be relied on: For example, if one job creates a volume using the
CI_JOB_ID... another job could just override that with a previous Job ID and they'd get their volume etc.
New target milestone set to 17.1
Summary
In !2862 (merged) we added support for the user to mount PVC volumes to persist the builds_dir. However when using PVC this limits the runner to run all jobs in 1 node when the access mode is ReadWriteOnce as it can be seen here.
The goal of this issue is to dynamically create PVC volumes with storage classes to follow the same methodology of Docker executor where we create a volume for each $CI_CONCURRENT_ID
Steps to reproduce
Actual behavior
With PVC volumes, all the job must run from the same node.
Expected behavior
Create a PVC volume for each $CI_CONCURRENT_ID
Relevant logs and/or screenshots
Environment description
config.toml contents
[[runners]]
name = "kubernetes"
url = "https://gitlab.com/"
token = "TOKEN_HERE"
executor = "kubernetes"
builds_dir = "/root_builds"
[runners.kubernetes]
image = "alpine:3.11"
namespace = "default"
[[runners.kubernetes.volumes.pvc]]
name = "pvc-1"
mount_path = "/root_builds"Used GitLab Runner version
Running with gitlab-runner 13.11.0