Security context is not propagated to init-permissions init container.
Description
We want to create gitlab runner in our company AKS cluster. AKS has OPA Gatekeeper enabled and security context allowPrivilegeEscalation and privileged flags set to false are required for all containers and init containers running in the cluster. We can set allowPrivilegeEscalation and privileged flag for containers using config.toml file as below:
`
[[runners]]
[runners.kubernetes]
allow_privilege_escalation = false
privileged = false
`
Above flags are applied to build and helper containers, but not to init-permissions init container. We did not find any way to set those security context flags for init container and our AKS OPA Gatekeeper returns error as below when we want to run Gitlab job using Kubernetes runner
ERROR: Job failed (system failure): prepare environment: setting up build pod: admission webhook "validation.gatekeeper.sh" denied the request: [privilegeescalationcontainer] >>>>> VIOLATION: Privilege escalation container is not allowed: {"command": ["sh", "-c", "touch /logs-9925-7277687/output.log && (chmod 777 /logs-9925-7277687/output.log || exit 0)"], "image": "xxx.azurecr.io/gitlab/gitlab-runner-helper-ocs:1.0", "imagePullPolicy": "IfNotPresent", "name": "init-permissions", "resources": {"limits": {"cpu": "60m", "memory": "20Mi"}, "requests": {"cpu": "20m", "memory": "16Mi"}}, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File", "volumeMounts": [{"mountPath": "/scripts-9925-7277687", "name": "scripts"}, {"mountPath": "/logs-9925-7277687", "name": "logs"}, {"mountPath": "/builds", "name": "repo"}, {"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", "name": "kube-api-access-xcdbd", "readOnly": true}]}:. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
Proposal
Configuring security context for init container should be possible using config.toml file eg.
`
[[runners]]
[runners.kubernetes]
[runners.kubernetes.init_container_security_context]
allow_privilege_escalation = false
privileged = false
`
or flags allow_privilege_escalation and privileged should be applied to both containers and init containers.