Ability to turn on/off running umask 0000 command for Kubernetes executor

Description

Helper image executes umask 0000 which results in 777 for directory permissions and 666 for file permissions. This makes all directories and files in the build container writable by anyone and is not best practice.

Proposal

This proposal is to add a new feature flag similar to FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR to give ability to not run umask 0000. Instead, when the flag is on, in the build container change the ownership of working directory to UID and GID that belongs to the user defined with USER directive in the build image.

Additional context

The code in https://gitlab.com/gitlab-org/gitlab-runner/-/blob/511bf632bf402d92c9621625b2186cbc3b68752d/executors/docker/docker_command.go#L212-244 essentially:

Inspects what user/group is used with the image
Runs chown on the project dir with that image

Links to related issues and merge requests / references

#1736 (closed)

Edited May 06, 2024 by Darren Eastman