Supplemental Groups with Gitlab Runner on OpenShift
kubernetes openshift gitlab
Recently I configured gitlab-runner to operate on an openshift cluster. One quirk of this setup is the containers running as random uids, having the side-effect of the build container being unable to clone the project or fetch dependencies.
To overcome this issue, we needed to run the build container with a supplemental group which had write access to the
Security Context Constraint
The cluster administrators set up a securityContextConstraint which allowed the build service account to use supplemental group
kind: SecurityContextConstraints apiVersion: v1 metadata: name: "dev-gitlab-runner-build" supplementalGroups: type: MustRunAs uid: 80001 users: - dev-gitlab-runner-build
In the build container image,
/code needed to be writable by user with the group
80001. This line was added to the image Dockerfile.
RUN chgrp 80001 /code
Gitlab Runner Registration
--kubernetes-pod-security-context-supplemental-groups flag was added to the
gitlab-runner register command (
/entrypoint in the
/entrypoint register \ --kubernetes-pod-security-context-supplemental-groups=80001 \ --non-interactive
Add the following variables to project
variables: ... KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: dev-gitlab-runner-build
With all these pieces assembled, the following configuration is included in the pod spec.
spec: ... securityContext: ... supplementalGroups: - 80001
The random user is now able to write to the build directory - in this case