Add gitlab-runner user during ubi-fips image building
What does this MR do?
Allow the building of the GitLab Runner UBI FIPS in non root mode
Why was this MR needed?
As it stands, installing GitLab Runner with Helm Chart fails with the following error:
mkdir: cannot create directory '/home/gitlab-runner': Permission denied
Setting the securityContext
and the podSecurityContext
as follow appears to correct the permission issue
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: true
privileged: true
capabilities:
drop: ["ALL"]
## Configure securitycontext valid for the whole pod
## ref: http://kubernetes.io/docs/user-guide/security-context/
##
podSecurityContext:
runAsUser: 0
runAsGroup: 0
Thus confirming that during the installation, the pod user doesn't have the write permissions into the folder /home/gitlab-runner.
What's the best way to test this MR?
Install GitLab Runner using the Helm Chart project and the values.yaml file below (do not forget to update the Registration Token)
values.yaml
image:
registry: registry.gitlab.com
image: gitlab-org/gitlab-runner
tag: ubi-fips-dockerfile-ubi-fips-default-user@sha256:b3790d1a3553f28e99a6fddc09103f9476cfa604223bb1fedb20f45226677894
imagePullPolicy: Always
gitlabUrl: https://gitlab.com/
runnerRegistrationToken: "TOKEN"
terminationGracePeriodSeconds: 0
concurrent: 1
checkInterval: 30
logLevel: "debug"
sessionServer:
enabled: false
## For RBAC support:
rbac:
create: false
rules:
- resources: ["configmaps", "pods", "pods/attach", "secrets", "services"]
verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "patch", "delete"]
clusterWideAccess: false
podSecurityPolicy:
enabled: false
resourceNames:
- gitlab-runner
metrics:
enabled: false
portName: metrics
port: 9252
serviceMonitor:
enabled: false
service:
enabled: false
type: clusterIP
runners:
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{.Release.Namespace}}"
image = "alpine"
cache: {}
builds: {}
services: {}
helpers: {}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
privileged: false
capabilities:
drop: ["ALL"]
podSecurityContext:
runAsUser: 100
# runAsGroup: 65533
fsGroup: 65533
# supplementalGroups: [65533]
## Note: values for the ubuntu image:
# runAsUser: 999
# fsGroup: 999
resources: {}
affinity: {}
nodeSelector: {}
tolerations: []
hostAliases: []
podAnnotations: {}
podLabels: {}
priorityClassName: ""
secrets: []
configMaps: {}
volumeMounts: []
volumes: []
The values.yaml file mostly use the default configuration.
The image used has been generated by a previous pipeline in this MR
The Runner Manager pod doesn't not display any error and shows that GitLab Runner is functional
What are the relevant issue numbers?
Edited by Romuald Atchadé