Skip to content

Add gitlab-runner user during ubi-fips image building

Romuald Atchadé requested to merge dockerfile-ubi-fips-default-user into main

What does this MR do?

Allow the building of the GitLab Runner UBI FIPS in non root mode

Why was this MR needed?

As it stands, installing GitLab Runner with Helm Chart fails with the following error:

mkdir: cannot create directory '/home/gitlab-runner': Permission denied

Setting the securityContext and the podSecurityContext as follow appears to correct the permission issue

securityContext:
  allowPrivilegeEscalation: true
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  privileged: true
  capabilities:
    drop: ["ALL"]

## Configure securitycontext valid for the whole pod
## ref: http://kubernetes.io/docs/user-guide/security-context/
##
podSecurityContext:
  runAsUser: 0
  runAsGroup: 0

Thus confirming that during the installation, the pod user doesn't have the write permissions into the folder /home/gitlab-runner.

What's the best way to test this MR?

Install GitLab Runner using the Helm Chart project and the values.yaml file below (do not forget to update the Registration Token)

values.yaml 
image:
  registry: registry.gitlab.com
  image: gitlab-org/gitlab-runner
  tag: ubi-fips-dockerfile-ubi-fips-default-user@sha256:b3790d1a3553f28e99a6fddc09103f9476cfa604223bb1fedb20f45226677894

imagePullPolicy: Always

gitlabUrl: https://gitlab.com/

runnerRegistrationToken: "TOKEN"

terminationGracePeriodSeconds: 0

concurrent: 1

checkInterval: 30

logLevel: "debug"

sessionServer:
  enabled: false

## For RBAC support:
rbac:
  create: false
  rules:
  - resources: ["configmaps", "pods", "pods/attach", "secrets", "services"]
    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create", "patch", "delete"]

  clusterWideAccess: false

  podSecurityPolicy:
    enabled: false
    resourceNames:
    - gitlab-runner

metrics:
  enabled: false
  portName: metrics
  port: 9252
  serviceMonitor:
    enabled: false

service:
  enabled: false
  type: clusterIP

runners:
  config: |
    [[runners]]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "alpine"

  cache: {}
  
  builds: {}
  
  services: {}
  
  helpers: {}
  
securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  privileged: false
  capabilities:
    drop: ["ALL"]

podSecurityContext:
  runAsUser: 100
  # runAsGroup: 65533
  fsGroup: 65533
  # supplementalGroups: [65533]

  ## Note: values for the ubuntu image:
  # runAsUser: 999
  # fsGroup: 999

resources: {}

affinity: {}

nodeSelector: {}

tolerations: []

hostAliases: []

podAnnotations: {}

podLabels: {}

priorityClassName: ""

secrets: []

configMaps: {}

volumeMounts: []

volumes: []

The values.yaml file mostly use the default configuration.

The image used has been generated by a previous pipeline in this MR

The Runner Manager pod doesn't not display any error and shows that GitLab Runner is functional

Screenshots

Screenshot_2022-11-30_at_2.13.22_PM

Screenshot_2022-11-30_at_2.13.38_PM

What are the relevant issue numbers?

close gitlab-org/charts/gitlab-runner#410 (closed)

Edited by Romuald Atchadé

Merge request reports