Run Gitlab Runner Kubernetes as non root with Kaniko

bsf · April 22, 2024, 8:03am

I set up the gitlab-runner kubernetes executor to run with a non root user “gitlab-runner”

Problem to solve

i get it working for all images except for Kaniko image , i build a custom kaniko image from the official kaniko image and i put the new user owner of the folder “/kaniko” .
But when i run my pipeline i see that all the folder and subfolder of “/” is owner by root inclusing my “/kaniko”
Wht i get override the folders of my image ? any idea

Configuration

image:
  registry: registry.gitlab.com
  image: gitlab-org/gitlab-runner
rbac:
  create: true
  rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  clusterWideAccess: true
serviceAccountName: gitlab-runner
  podSecurityPolicy:
    enabled: false
    resourceNames:
      - gitlab-runner
runners:
  config: |
    [[runners]]
      builds_dir = "/tmp/builds"
      environment = ["HOME=/tmp"]
      [runners.kubernetes]
        namespace = "{{ item.namespace }}"
        image = "private-registry.internal.custom.com/custom-gitlab-runner-jdk11:latest"
        tls_verify = false
        poll_timeout = 3600
        output_limit = 50000000
        allowed_pull_policies = ["always", "if-not-present"]
        [runners.kubernetes.pod_security_context]
          run_as_non_root = true
          run_as_user = 10000
          run_as_group = 10000
          fs_group = 10000
        [runners.kubernetes.init_permissions_container_security_context]
          run_as_user = 10000
          run_as_group = 10000
      [runners.kubernetes.node_selector]
        "type"="runner"
      [runners.kubernetes.node_tolerations]
        "type=runner" = "NoSchedule"
      [runners.cache]
        Type = "s3"
        Path = "runner"
        Shared = true
        [runners.cache.s3]
          ServerAddress = "oos.eu-west-2.outscale.com"
          BucketName = "{{ item.bucket_name | default("k8s-gitlab-runner-cache") }}"
          BucketLocation = "eu-west-2"
          Insecure = false
          AuthenticationType = "access-key"
  name: "{{ item.name }}"
  privileged: true
  secret: "{{ item.secret_name }}"
  cache:
    secretName: s3access
securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  privileged: false
  capabilities:
    drop: ["ALL"]
podSecurityContext:
  runAsUser: 100
  fsGroup: 65533
  supplementalGroups: [10000]
volumes: []

Gitlab-ci

build-job:
  stage: build-image-with-kaniko
  image:
    name: private-registry.internal.custom.com/gitlab-runner-kaniko:1.1.60-SNAPSHOT
    pull_policy: always      
    entrypoint: [""]
  script:
    - echo "{\"auths\":{\"private-registry.custom.internal.com\":{\"auth\":\"$(printf "%s:%s" "${REGISTRY_USER}" "${REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor 
      --context . 
      --dockerfile Dockerfile
      --destination private-registry.internal.custom.com/dpd-ubuntu:latest
  variables:
  tags:
    - gitlab-runner-rootless

Versions

- Self-managed with Kubernetes executor : gitlab-runner 16.3.3

Thank you for your help