OpenShift support
What does this MR do?
Give write access to group id 0
to enable OpenShift support. When running on OpenShift, user id is random and group id is 0
. When running on .com, the default user remains root, to ensure backward compatibility. See gitlab-org/gitlab#290240 (comment 509916812)
Also, add test jobs for offline-FREEZE
branch of one of the Secure test project to make sure that it's still possible to have a before_script
with instructions executed as root. See gitlab-org/gitlab#290240 (comment 509928251)
How is it tested?
Tested using !181 (closed).
See successful scanning job where the generated report is checked after the scan:
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/php-composer/-/pipelines/170
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/ruby-bundler/-/pipelines/171
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/js-npm/-/pipelines/172
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/js-yarn/-/pipelines/173
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/go-modules/-/pipelines/174
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/csharp-nuget-dotnetcore/-/pipelines/175
- http://gitlab.apps.secure-stage-openshift-test.k8s-ft.win/root/csharp-nuget-dotnetcore/-/pipelines/175
Failing job when setting ADDITIONAL_CA_CERT_BUNDLE
to a fake certificate, but this proves that the analyzer can update /etc/gitconfig
:
Value of ADDITIONAL_CA_CERT_BUNDLE
was:
-----BEGIN CERTIFICATE-----
certificate-contents-go-here
-----END CERTIFICATE-----
What are the relevant issue numbers?
gitlab-org/gitlab#290240 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer