Openshift clusterrole for gitlab-runner-sa

I’m doing a pilot project with Openshift 4.11.18 with gitlab runner cicd, so far I got these two solutions,

ClusterRole 1,

  - apiGroups: ["*]
    resources: ["*"]
    verbs: ["*"]

#no anyuid needed
ClusterRole 2,

  - apiGroups: [""]
    resources: ["secrets","configmaps","configmaps/status","pods","pods/attach","pods/exec","pods/log","services","services/finalizers","services/proxy","services/status","namespaces","replicasets","pods/portforward","events","persistentvolumeclaims","resourcequotas","serviceaccounts","endpoints"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps"]
    resources: ["deployments","daemonsets","replicasets","statefulsets","deployments/finalizers"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps.gitlab.com"]
    resources: ["runners","runners/status","runners/finalizers"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["authentication.k8s.io"]
    resources: ["tokenreviews","subjectaccessreviews"]
    verbs: ["create"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles","rolesbindings"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["apps.openshift.io"]
    resources: ["deploymentconfigs"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["batch"]
    resources: ["cronjobs","jobs"]
    verbs: ["get","list","watch"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["prometheuses","servicemonitors"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses"]
    verbs: ["get","list","watch","create","update","patch","delete"]
  - apiGroups: ["route.openshift.io"]
    resources: ["routes","routes/custom-host"]
    verbs: ["get","list","watch","create","update","patch","delete"]        
  - apiGroups: ["template.openshift.io"]
    resources: ["templateconfigs","templateinstances","templates"]
    verbs: ["create"]        
  - apiGroups: ["config.openshift.io"]
    resources: ["clusterversions"]
    verbs: ["get","list","watch","create","update","patch","delete"] 
  - apiGroups: ["oauth.openshift.io"]
    resources: ["oauthclients"]
    verbs: ["get","list","watch","create","update","patch","delete"]  

Plus you need anyuid for the gitlab-runner-sa serviceaccount.

It mentioned in the documentation that is discourage to use anyuid,

If I run without anyuid on ClusterRole 2, I will get this error,

ERROR: Job failed (system failure): prepare environment: setting up build pod: pods "runner-dcvn45x9-project-42589105-concurrent-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, spec.containers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Do you have other solution for this or which one is the safest solution to Openshift with Gitlab runner?

Thanks,
Ric

1 Like

Getting lucky, I can deploy podman/rootless with a regular user, I have to change the uid/gid of the project to match the podman uid/gid. Need to mount .local and .cache, and podman info is running but the first run got error only. Also the build second pass have error. Later…

I can run it without privileged,

The only problem is the last pipeline which ask for clusterrole, so helm might be remove, and just use oc.

I"m close to running unprivileged podman,

I have to use buildconfig instead, so no more dind-rootless or podman-rootess.

And it’s unprivileged and non-root.