Recently I configured gitlab-runner to operate on an openshift cluster. One quirk of this setup is the containers running as random uids, having the side-effect of the build container being unable to clone the project or fetch dependencies.

To overcome this issue, we needed to run the build container with a supplemental group which had write access to the $CI_BUILDS_DIR path.

Security Context Constraint

The cluster administrators set up a securityContextConstraint which allowed the build service account to use supplemental group 80001.

kamsuipeusnitnptue-dVaapyir:edmlpdsdraeee::eSst:m:veiae8-co:"nM0gundtu0ir:eas0tivlt1ltv-GRay1grubCion-otuArnlpsutasneb:nx-etrrCu-onbnnuseitrlr-dabiunitlsd"

Dockerfile

In the build container image, /code needed to be writable by user with the group 80001. This line was added to the image Dockerfile.

RUNchgrp80001/code

Gitlab Runner Registration

The --kubernetes-pod-security-context-supplemental-groups flag was added to the gitlab-runner register command (/entrypoint in the gitlab/gitlab-runner image).

/ent--rknyuopbnoe-irinnntettereresag-ciptsoitdve-erse\curity-context-supplemental-groups=80001\

.gitlab-ci.yaml

Add the following variables to project .gitlab-ci.yaml files.

varKiUaBbElReNsE:TES_SERVICE_ACCOUNT_OVERWRITE:dev-gitlab-runner-build

Conclusion

With all these pieces assembled, the following configuration is included in the pod spec.

spesce:cs-uurp8ip0tl0ye0Cm1oenntteaxltG:roups:

The random user is now able to write to the build directory - in this case /code.