mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-10-23 02:23:53 +00:00
Code Issues Projects Releases Wiki Activity

add fsGroupChangePolicy and set implicit defaults for fsGroup

Browse source
This commit is contained in:
pat-s 2024-10-02 10:48:56 +02:00
parent baa72e044f
commit 85047bdd1b
No known key found for this signature in database
GPG key ID: 3C6318841EF78925
1 changed files with 23 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pipeline/backend/kubernetes/pod.go
View file

@ -382,6 +382,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
user *int64 user *int64
group *int64 group *int64
fsGroup *int64 fsGroup *int64
fsGroupChangePolicy *string
seccomp *v1.SeccompProfile seccomp *v1.SeccompProfile
apparmor *v1.AppArmorProfile apparmor *v1.AppArmorProfile
) )
@ -411,6 +412,15 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
nonRoot = sc.RunAsNonRoot nonRoot = sc.RunAsNonRoot
} }
// if unset, set fsGroup to 1000 by default to support non-root images
if sc.FSGroup == nil {
fsGroup = 1000
// do the same for fsGroupChangePolicy but only if fsGroup is also set accordingly
if sc.fsGroupChangePolicy == nil {
FsGroupChangePolicy = "OnRootMismatch"
}
}
seccomp = seccompProfile(sc.SeccompProfile) seccomp = seccompProfile(sc.SeccompProfile)
apparmor = apparmorProfile(sc.ApparmorProfile) apparmor = apparmorProfile(sc.ApparmorProfile)
} }
@ -424,6 +434,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
RunAsUser: user, RunAsUser: user,
RunAsGroup: group, RunAsGroup: group,
FSGroup: fsGroup, FSGroup: fsGroup,
FsGroupChangePolicy: fsGroupChangePolicy,
SeccompProfile: seccomp, SeccompProfile: seccomp,
AppArmorProfile: apparmor, AppArmorProfile: apparmor,
} }