Add kubernetes runners allowPrivilegeEscalation security context configuration
What does this MR do?
Add kubernetes runners allowPrivilegeEscalation security context configuration
Why was this MR needed?
Provide the capability to configure the allowPrivilegeEscalation
security context for the runner instances started on a kubernetes cluster that has OPA enabled:
ERROR: Job failed (system failure): prepare environment: admission webhook "validation.gatekeeper.sh" denied the request: [denied by psp-allow-privilege-escalation-container] Privilege escalation container is not allowed: build
[denied by psp-allow-privilege-escalation-container] Privilege escalation container is not allowed: helper. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
What's the best way to test this MR?
Try to start a job using k8s runners on a with OPA enabled with psp-allow-privilege-escalation-container
:
- provide no
allow_privilege_escalation
value and the default will be determined bydefaultAllowPrivilegeEscalation
or True (as currently default in k8s) if nothing is defined (https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation). - provide
allow_privilege_escalation=true
value and the container start will be allowed - provide
allow_privilege_escalation=false
value and the container start will be denied
What are the relevant issue numbers?
Implements #26998 (closed)
Edited by Horatiu Eugen Vlad