mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-10-23 02:23:53 +00:00
add fsGroupChangePolicy
and set implicit defaults for fsGroup
This commit is contained in:
parent
baa72e044f
commit
85047bdd1b
1 changed files with 23 additions and 12 deletions
|
@ -382,6 +382,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
user *int64
|
||||
group *int64
|
||||
fsGroup *int64
|
||||
fsGroupChangePolicy *string
|
||||
seccomp *v1.SeccompProfile
|
||||
apparmor *v1.AppArmorProfile
|
||||
)
|
||||
|
@ -411,6 +412,15 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
nonRoot = sc.RunAsNonRoot
|
||||
}
|
||||
|
||||
// if unset, set fsGroup to 1000 by default to support non-root images
|
||||
if sc.FSGroup == nil {
|
||||
fsGroup = 1000
|
||||
// do the same for fsGroupChangePolicy but only if fsGroup is also set accordingly
|
||||
if sc.fsGroupChangePolicy == nil {
|
||||
FsGroupChangePolicy = "OnRootMismatch"
|
||||
}
|
||||
}
|
||||
|
||||
seccomp = seccompProfile(sc.SeccompProfile)
|
||||
apparmor = apparmorProfile(sc.ApparmorProfile)
|
||||
}
|
||||
|
@ -424,6 +434,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
RunAsUser: user,
|
||||
RunAsGroup: group,
|
||||
FSGroup: fsGroup,
|
||||
FsGroupChangePolicy: fsGroupChangePolicy,
|
||||
SeccompProfile: seccomp,
|
||||
AppArmorProfile: apparmor,
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue