Kubernetes Executor: Job pod should be deployed via a deployment object
Description
Currently, when a job is received by a kubernetes runner, the runner creates a pod via the kubernetes pod object. Instead, the runner should deploy pods via a deployment. This is generally a good practice that is encouraged in a kubernetes environment. Because pods are created with the pod object and not with a deployment, we loose the ability to use service account linked PSP (pod security policies) as well as the ability for kubernetes to recover the pod on a failure.
An example of the PSP problem: The Runner has a service account and a specific, higher privilege, PSP associated with it. The Runner creates a pod object and associates a specific service account to it. This job pod service account has a lower privilege PSP associated with it. Because the job pod was not created with a deployment object, it will inherit the PSP of the runner, which overrides the intended PSP.
Currently, the gitlab-runner requires running as root and having a read/write file system. This means that every job pod that it creates will inherit those privileges.
Proposal
Change the job pod to be deployed via a deployment and not with the pod object.
Links to related issues and merge requests / references
https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/ https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ https://kubernetes.io/docs/concepts/policy/pod-security-policy/