Supplemental Groups with Gitlab Runner on OpenShift

Recently I configured gitlab-runner to operate on an openshift cluster. One quirk of this setup is the containers running as random uids, having the side-effect of the build container being unable to clone the project or fetch dependencies.

To overcome this issue, we needed to run the build container with a supplemental group which had write access to the $CI_BUILDS_DIR path.

Security Context Constraint

The cluster administrators set up a securityContextConstraint which allowed the build service account to use supplemental group 80001.

kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: "dev-gitlab-runner-build"
supplementalGroups:
  type: MustRunAs
  uid: 80001
users:
  - dev-gitlab-runner-build

Dockerfile

In the build container image, /code needed to be writable by user with the group 80001. This line was added to the image Dockerfile.

RUN chgrp 80001 /code

Gitlab Runner Registration

The --kubernetes-pod-security-context-supplemental-groups flag was added to the gitlab-runner register command (/entrypoint in the gitlab/gitlab-runner image).

/entrypoint register \
  --kubernetes-pod-security-context-supplemental-groups=80001 \
  --non-interactive

.gitlab-ci.yaml

Add the following variables to project .gitlab-ci.yaml files.

variables:
  ...
  KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: dev-gitlab-runner-build

Conclusion

With all these pieces assembled, the following configuration is included in the pod spec.

spec:
  ...
  securityContext:
    ...
    supplementalGroups:
    - 80001

The random user is now able to write to the build directory - in this case /code.

Security Context Constraint#

Dockerfile#

Gitlab Runner Registration#

.gitlab-ci.yaml#

Conclusion#

Security Context Constraint

Dockerfile

Gitlab Runner Registration

.gitlab-ci.yaml

Conclusion