mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-10-23 02:23:53 +00:00
set via SecurityContextConfig
This commit is contained in:
parent
ea366e9e89
commit
8a1c2a0c84
2 changed files with 12 additions and 6 deletions
|
@ -43,7 +43,8 @@ import (
|
|||
const (
|
||||
EngineName = "kubernetes"
|
||||
// TODO: 5 seconds is against best practice, k3s didn't work otherwise
|
||||
defaultResyncDuration = 5 * time.Second
|
||||
defaultResyncDuration = 5 * time.Second
|
||||
efaultFSGroup int64 = 1000
|
||||
)
|
||||
|
||||
var defaultDeleteOptions = newDefaultDeleteOptions()
|
||||
|
@ -70,6 +71,7 @@ type config struct {
|
|||
}
|
||||
type SecurityContextConfig struct {
|
||||
RunAsNonRoot bool
|
||||
FSGroup *int64
|
||||
}
|
||||
|
||||
func newDefaultDeleteOptions() meta_v1.DeleteOptions {
|
||||
|
@ -98,6 +100,7 @@ func configFromCliContext(ctx context.Context) (*config, error) {
|
|||
ImagePullSecretNames: c.StringSlice("backend-k8s-pod-image-pull-secret-names"),
|
||||
SecurityContext: SecurityContextConfig{
|
||||
RunAsNonRoot: c.Bool("backend-k8s-secctx-nonroot"), // cspell:words secctx nonroot
|
||||
FSGroup: newInt64(defaultFSGroup),
|
||||
},
|
||||
NativeSecretsAllowFromStep: c.Bool("backend-k8s-allow-native-secrets"),
|
||||
}
|
||||
|
|
|
@ -390,6 +390,9 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
if secCtxConf.RunAsNonRoot {
|
||||
nonRoot = newBool(true)
|
||||
}
|
||||
if secCtxConf.FSGroup != nil {
|
||||
fsGroup = secCtxConf.FSGroup
|
||||
}
|
||||
|
||||
if sc != nil {
|
||||
// only allow to set user if its not root or step is privileged
|
||||
|
@ -407,6 +410,11 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
fsGroup = sc.FSGroup
|
||||
}
|
||||
|
||||
// if unset, set fsGroup to 1000 by default to support non-root images
|
||||
if sc.FSGroup != nil {
|
||||
fsGroup = sc.FSGroup
|
||||
}
|
||||
|
||||
// only allow to set nonRoot if it's not set globally already
|
||||
if nonRoot == nil && sc.RunAsNonRoot != nil {
|
||||
nonRoot = sc.RunAsNonRoot
|
||||
|
@ -416,11 +424,6 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
|
|||
apparmor = apparmorProfile(sc.ApparmorProfile)
|
||||
}
|
||||
|
||||
// if unset, set fsGroup to 1000 by default to support non-root images
|
||||
if sc.FSGroup == nil {
|
||||
fsGroup = newInt64(defaultFSGroup)
|
||||
}
|
||||
|
||||
if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil {
|
||||
return nil
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue