Openshift clusterrole for gitlab-runner-sa

venerari · January 17, 2023, 2:25pm

I’m doing a pilot project with Openshift 4.11.18 with gitlab runner cicd, so far I got these two solutions,

ClusterRole 1,

  - apiGroups: ["*]
    resources: ["*"]
    verbs: ["*"]

#no anyuid needed

ClusterRole 2,

  - apiGroups: [""]
    resources: ["secrets","configmaps","configmaps/status","pods","pods/attach","pods/exec","pods/log","services","services/finalizers","services/proxy","services/status","namespaces","replicasets","pods/portforward","events","persistentvolumeclaims","resourcequotas","serviceaccounts","endpoints"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps"]
    resources: ["deployments","daemonsets","replicasets","statefulsets","deployments/finalizers"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps.gitlab.com"]
    resources: ["runners","runners/status","runners/finalizers"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews","subjectaccessreviews"]
    verbs: ["create"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles","rolesbindings"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps.openshift.io"]
    resources: ["deploymentconfigs"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["batch"]
    resources: ["cronjobs","jobs"]
    verbs: ["get","list","watch"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["prometheuses","servicemonitors"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["route.openshift.io"]
    resources: ["routes","routes/custom-host"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["template.openshift.io"]
    resources: ["templateconfigs","templateinstances","templates"]
    verbs: ["create"]        
  - apiGroups: ["config.openshift.io"]
    resources: ["clusterversions"]
    verbs: ["get","list","watch","create","update","patch","delete"] 
  - apiGroups: ["oauth.openshift.io"]
    resources: ["oauthclients"]
    verbs: ["get","list","watch","create","update","patch","delete"]  

Plus you need anyuid for the gitlab-runner-sa serviceaccount.

It mentioned in the documentation that is discourage to use anyuid,

If I run without anyuid on ClusterRole 2, I will get this error,

ERROR: Job failed (system failure): prepare environment: setting up build pod: pods "runner-dcvn45x9-project-42589105-concurrent-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Do you have other solution for this or which one is the safest solution to Openshift with Gitlab runner?

Thanks,
Ric

venerari · January 20, 2023, 4:31am

Getting lucky, I can deploy podman/rootless with a regular user, I have to change the uid/gid of the project to match the podman uid/gid. Need to mount .local and .cache, and podman info is running but the first run got error only. Also the build second pass have error. Later…

venerari · January 25, 2023, 11:41pm

I can run it without privileged,

The only problem is the last pipeline which ask for clusterrole, so helm might be remove, and just use oc.

venerari · January 29, 2023, 7:56pm

I"m close to running unprivileged podman,

venerari · February 1, 2023, 4:33am

I have to use buildconfig instead, so no more dind-rootless or podman-rootess.

And it’s unprivileged and non-root.