Skip to content

Change directories and files permissions for bash shell when FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR is enabled

Romuald Atchadé - OOO until Jan 11th, 2026requested to merge
k8s-umask-0000-bash-write-permission into main

What does this MR do?

When FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR is enabled, !4842 (merged) was only changing the file ownership to the build image default uid:gid but was not changing the files permissions.

The umask is set to 0000 when running a command on the helper image through the injection of the gitlab-runner-build script. This is necessary to allow the build container to easy write within the shared directories.

When FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR is enabled, the ownership of the files created by the helper image is set to the build uid:gid making the umask 0000 unnecessary.

With this MR, we prevent the injection of the gitlab-runner-build script when FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR is enabled.

Why was this MR needed?

Fix files permissions when FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR is enabled

What's the best way to test this MR?

gitlab-ci 

variables:
  FF_USE_ADVANCED_POD_SPEC_CONFIGURATION: "true"
  FF_DISABLE_UMASK_FOR_KUBERNETES_EXECUTOR: "true"
  FF_USE_POWERSHELL_PATH_RESOLVER: "true"
  FF_RETRIEVE_POD_WARNING_EVENTS: "true"
  FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: "false" # should also be tested with `false` value
  FF_PRINT_POD_EVENTS: "true"

test:
  image: alpine
  script:
    - ls -lR /builds
config.toml 
listen_address = ":9252"
concurrent = 3
check_interval = 1
log_level = "debug"
connection_max_age = "15m0s"
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  pre_get_sources_script = "git config --system --add safe.directory $CI_PROJECT_DIR"
  post_get_sources_script = "git config --local --add safe.directory $CI_PROJECT_DIR"

  name = "investigation"
  limit = 50
  url = "https://gitlab.com/"
  id = 0
  token = "glrt-REDACTED"
  token_obtained_at = 2024-09-30T14:38:04.623237Z
  executor = "kubernetes"
  [runners.feature_flags]
    FF_USE_ADVANCED_POD_SPEC_CONFIGURATION = true
    FF_USE_POD_ACTIVE_DEADLINE_SECONDS = true
    FF_PRINT_POD_EVENTS = true
    FF_USE_FASTZIP = true
  [runners.kubernetes]
    host = ""
    bearer_token_overwrite_allowed = false
    image = ""
    namespace = ""
    namespace_overwrite_allowed = ""
    namespace_per_job = false
    privileged = true
    node_selector_overwrite_allowed = ".*"
    node_tolerations_overwrite_allowed = ""
    pod_labels_overwrite_allowed = ""
    service_account_overwrite_allowed = ""
    [runners.kubernetes.pod_labels]
    [[runners.kubernetes.volumes.empty_dir]]
      name = "docker-certs"
      mount_path = "/certs/client"
      medium = "Memory"
    [runners.kubernetes.build_container_security_context]
      run_as_user = 1000
      run_as_group = 65533
    [runners.kubernetes.dns_config]

What are the relevant issue numbers?

close #38382 (closed)

Edited by Romuald Atchadé - OOO until Jan 11th, 2026

Merge request reports