mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-10-23 02:23:53 +00:00
add fsGroupChangePolicy
and set implicit defaults for fsGroup
This commit is contained in:
parent
baa72e044f
commit
85047bdd1b
1 changed files with 23 additions and 12 deletions
|
@ -378,12 +378,13 @@ func toleration(backendToleration Toleration) v1.Toleration {
|
||||||
|
|
||||||
func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, stepPrivileged bool) *v1.PodSecurityContext {
|
func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, stepPrivileged bool) *v1.PodSecurityContext {
|
||||||
var (
|
var (
|
||||||
nonRoot *bool
|
nonRoot *bool
|
||||||
user *int64
|
user *int64
|
||||||
group *int64
|
group *int64
|
||||||
fsGroup *int64
|
fsGroup *int64
|
||||||
seccomp *v1.SeccompProfile
|
fsGroupChangePolicy *string
|
||||||
apparmor *v1.AppArmorProfile
|
seccomp *v1.SeccompProfile
|
||||||
|
apparmor *v1.AppArmorProfile
|
||||||
)
|
)
|
||||||
|
|
||||||
if secCtxConf.RunAsNonRoot {
|
if secCtxConf.RunAsNonRoot {
|
||||||
|
@ -411,6 +412,15 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
||||||
nonRoot = sc.RunAsNonRoot
|
nonRoot = sc.RunAsNonRoot
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if unset, set fsGroup to 1000 by default to support non-root images
|
||||||
|
if sc.FSGroup == nil {
|
||||||
|
fsGroup = 1000
|
||||||
|
// do the same for fsGroupChangePolicy but only if fsGroup is also set accordingly
|
||||||
|
if sc.fsGroupChangePolicy == nil {
|
||||||
|
FsGroupChangePolicy = "OnRootMismatch"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
seccomp = seccompProfile(sc.SeccompProfile)
|
seccomp = seccompProfile(sc.SeccompProfile)
|
||||||
apparmor = apparmorProfile(sc.ApparmorProfile)
|
apparmor = apparmorProfile(sc.ApparmorProfile)
|
||||||
}
|
}
|
||||||
|
@ -420,12 +430,13 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
||||||
}
|
}
|
||||||
|
|
||||||
securityContext := &v1.PodSecurityContext{
|
securityContext := &v1.PodSecurityContext{
|
||||||
RunAsNonRoot: nonRoot,
|
RunAsNonRoot: nonRoot,
|
||||||
RunAsUser: user,
|
RunAsUser: user,
|
||||||
RunAsGroup: group,
|
RunAsGroup: group,
|
||||||
FSGroup: fsGroup,
|
FSGroup: fsGroup,
|
||||||
SeccompProfile: seccomp,
|
FsGroupChangePolicy: fsGroupChangePolicy,
|
||||||
AppArmorProfile: apparmor,
|
SeccompProfile: seccomp,
|
||||||
|
AppArmorProfile: apparmor,
|
||||||
}
|
}
|
||||||
log.Trace().Msgf("pod security context that will be used: %v", securityContext)
|
log.Trace().Msgf("pod security context that will be used: %v", securityContext)
|
||||||
return securityContext
|
return securityContext
|
||||||
|
|
Loading…
Reference in a new issue