Problem
Need to be able to extend the fs-init container in initContainers in order to set required securityContext.
Request
|
export function mergePodSpecWithOptions( |
mergePodSpecWithOptions should merge
initContainers key the same the same way
containers is merged in
mergeContainerWithOptions to enable extension of
fs-init through
ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE.
Reason
We have strict security settings that we have to set on containers, without those settings the fs-init fails to initialize. Currently if we try to extend the fs-init container through the ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE it replaces the entire base.initContainer array with extension.initContainer losing the initCommands.
Workaround
I tried to recreate the entire fs-init initContainer in the ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE:
spec:
securityContext:
runAsUser: 1001
runAsNonRoot: true
fsGroup: 1001
initContainers:
- name: fs-init
image: ghcr.io/actions/actions-runner:latest
command: ['sh', '-c', 'mkdir -p /mnt/externals && mkdir -p /mnt/work && mkdir -p /mnt/github && mv /home/runner/externals/* /mnt/externals/']
volumeMounts:
- name: externals
mountPath: '/mnt/externals'
- name: work
mountPath: '/mnt/work'
- name: github
mountPath: '/mnt/github'
securityContext:
runAsGroup: 1001
runAsUser: 1001
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
containers:
- name: $job
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
But I am having issues with permissions:
Error: EACCES: permission denied, mkdir '/__w/<repo>/<repo>/file.txt'
Which I believe are related to missing this initCommand which is generated from GITHUB_WORKSPACE:
|
initCommands.push(`mkdir -p /mnt/work/${workingDirPath}`) |
Without access to the GITHUB_WORKSPACE in the fs-init container there is no way to recreate this command.
Problem
Need to be able to extend the
fs-initcontainer ininitContainersin order to set required securityContext.Request
runner-container-hooks/packages/k8s/src/k8s/utils.ts
Line 206 in 6ecda1d
mergePodSpecWithOptionsshould mergeinitContainerskey the same the same waycontainersis merged inmergeContainerWithOptionsto enable extension offs-initthroughACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE.Reason
We have strict security settings that we have to set on containers, without those settings the fs-init fails to initialize. Currently if we try to extend the fs-init container through the
ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATEit replaces the entirebase.initContainerarray withextension.initContainerlosing theinitCommands.Workaround
I tried to recreate the entire fs-init initContainer in the
ACTIONS_RUNNER_CONTAINER_HOOK_TEMPLATE:But I am having issues with permissions:
Error: EACCES: permission denied, mkdir '/__w/<repo>/<repo>/file.txt'Which I believe are related to missing this initCommand which is generated from
GITHUB_WORKSPACE:runner-container-hooks/packages/k8s/src/k8s/index.ts
Line 113 in 6ecda1d
Without access to the GITHUB_WORKSPACE in the fs-init container there is no way to recreate this command.