Unable to configure AppArmor profile for build pods when using Kubernetes executor
Suggested Workaround
Use of AppArmor profile annotation + GitLab Runner Annotation Overwrite
More details can be read in this comment
Summary
It is currently impossible to configure an AppArmor profile for build pods using the spec.securityContext.appArmorProfile API available from Kubernetes 1.30. This is, for example, useful when trying to build images using a Podman service as many Kubernetes distributions block the mount syscall using AppArmor.
It is also impossible to use a pod spec patch to do this manually at the moment, as the kubernetes executor seems to apply the patch to the k8s go package's type before actually calling the k8s API. The k8s client package currently still uses version 0.26, where this part of the spec doesn't exist yet.
Steps to reproduce
- Configure kubernetes executor with a podspec patch like this
kubernetes executor configuration
[[runners.kubernetes.pod_spec]]
name = "disable apparmor"
patch = '''
securityContext:
appArmorProfile:
type: Unconfined
'''- Try to run a pipeline like this (e.g. to build with paketo buildpacks):
.gitlab-ci.yml
build:
image: my-java-builder
services:
- name: quay.io/containers/podman:v4.2.1
alias: docker
command: ["podman", "system", "service", "--time=0", "tcp://0.0.0.0:2375"]
variables:
DOCKER_HOST: tcp://docker:2375
script:
- ./gradlew bootBuildImageActual behavior
This fails, as podman cannot use mount because of apparmor. The pod spec patch is not applied to the build pod.
Expected behavior
Patch should apply...
Environment description
I tested this on a self hosted gitlab and runner instance, inside a GKE cluster.
Used GitLab Runner version
newest
Possible fixes
- Update go packages to current Kubernetes version
- change pod spec patch behaviour to not rely on API structs to be able to patch in keys that don't exist in the client version
- Add an
app_armor_profileconfig field to the kubernetes executor to not rely on pod spec patching at all