Add user namespaces support for kubernetes executor

Stéphane Talbotrequested to merge
gitlab-community/gitlab-org/gitlab-runner:stalb/k8s-user-namespaces-support into main

What does this MR do?

This commit allows the k8s runner executor to specify, if the build pod containers have to run using hosts'users or in separate user namespaces.

Why was this MR needed?

Since k8s v1.25 (beta in v1.30 - enabled by default in v1.33 - GA in v1.36), it's possible to use user namespaces in K8s Pods.

Pipeline jobs, quite often, require to be run as root, especially when you have to customize them (install new packages, etc.). With a k8s runner this can be a security risk, since in the case of a container breakout, job will gain root privileges on the k8s node.

Using user namespaces allows to isolate the user running inside the container from the one in the host and reduce the damage a compromised container can do to the host or other pods in the same node.

What's the best way to test this MR?

Run the TestKubernetesHostUsers integration test on a k8s v1.33+ cluster with support for user namespaces :

  1. Create the test namespace: kubectl create namespace k8s-runner-integration-tests
  2. Run the integration test: go test -count=1 -tags=integration,kubernetes -run TestKubernetesHostUsers -v gitlab.com/gitlab-org/gitlab-runner/executors/kubernetes

Alternatively you can deploy the new runner in a k8s v1.33+ cluster and test it manually:

  1. Define host_users as true in runner toml config.
  2. Deploy or update the new runner on a v1.33+ k8s cluster (or a v1.25+ k8s with UserNamespacesSupport feature gate enabled).
  3. Run pipelines on the previous runner.
  4. Use kubectl get pods -n <runner-namespace> <runner-build-pod-name> -o jsonpath-as-json='{.spec.hostUsers}' when the pipeline is running (you must have access to the runner cluster)

What are the relevant issue numbers?

Edited by Stéphane Talbot

Merge request reports