SAST and Other Security Features Not Working Even With Privlieged Mode True on Kubernetes Executor
Summary
Kubernetes Executor is configured to have privileged = true
and yet SAST and other security features fail with read only file system
errors.
Steps to reproduce
- Set up Gitlab running on a fresh GKE cluster
- Use the Kubernetes executor with privileged mode true
- In a git repo with a Dockerfile at root, push a .gitlab-ci.yml file with the AutoDevops template for Build and SAST included
- Run the pipeline
.gitlab-ci.yml
stages:
- build
- test
include:
- template: Jobs/Build.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
Actual behavior
The SAST job fails with mkdir /builds: read-only file system.
errors
Expected behavior
I expect the SAST job to succeed and upload artifact.
Relevant logs and/or screenshots
job log
$ export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
00:01
21 $ if ! docker info &>/dev/null; then # collapsed multi-line command
22 $ printenv | grep -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | cut -d'=' -f1 | \ # collapsed multi-line command
23 $ docker run \ # collapsed multi-line command
24 docker: Error response from daemon: error while creating mount source path '/builds/sbvr/sast-test': mkdir /builds: read-only file system.
Environment description
Using Gitlab Runner 12.4.1 with Kubernetes Executor Kubernetes Version 1.14.8
config.toml contents
[[runners]]
name = "A Runner"
url = "https://gitlab.com/"
token = "token"
executor = "kubernetes"
[runners.kubernetes]
namespace = "gitlab-runner"
privileged = true
[[runners.kubernetes.volumes.host_path]]
name = "docker-socket"
mount_path = "/var/run/docker.sock"
Used GitLab Runner version
Version: 12.4.1
Git revision: 05161b14
Git branch: 12-4-stable
GO version: go1.10.8
Built: 2019-10-28T12:49:57+0000
OS/Arch: linux/amd64