From 8c42f99d0b797b8276a85ea53790a586f797f71c Mon Sep 17 00:00:00 2001 From: Jonah Back Date: Thu, 3 Jun 2021 16:59:11 -0700 Subject: [PATCH] feat: avoid setting privileged flag if seLinuxOptions is not null (#599) Sets the privileged flag to false if SELinuxOptions are present/defined. This is needed because containerd treats SELinux and Privileged controls as mutually exclusive. Also see https://github.com/containerd/cri/blob/aa2d5a97c/pkg/server/container_create.go#L164. This allows users who use SELinux for managing privileged processes to use GH Actions - otherwise, based on the SELinux policy, the Docker in Docker container might not be privileged enough. Signed-off-by: Jonah Back Co-authored-by: Yusuke Kuoka --- README.md | 10 ++++++++++ controllers/runner_controller.go | 23 +++++++++++++++++------ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7f829495..fd4c11dc 100644 --- a/README.md +++ b/README.md @@ -728,6 +728,16 @@ spec: spec: nodeSelector: node-role.kubernetes.io/test: "" + + securityContext: + #All level/role/type/user values will vary based on your SELinux policies. + #See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy for information about SELinux with containers + seLinuxOptions: + level: "s0" + role: "system_r" + type: "super_t" + user: "system_u" + tolerations: - effect: NoSchedule key: node-role.kubernetes.io/test diff --git a/controllers/runner_controller.go b/controllers/runner_controller.go index 80d83250..de7f0e4d 100644 --- a/controllers/runner_controller.go +++ b/controllers/runner_controller.go @@ -564,10 +564,11 @@ func (r *RunnerReconciler) updateRegistrationToken(ctx context.Context, runner v func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { var ( - privileged bool = true - dockerdInRunner bool = runner.Spec.DockerdWithinRunnerContainer != nil && *runner.Spec.DockerdWithinRunnerContainer - dockerEnabled bool = runner.Spec.DockerEnabled == nil || *runner.Spec.DockerEnabled - ephemeral bool = runner.Spec.Ephemeral == nil || *runner.Spec.Ephemeral + privileged bool = true + dockerdInRunner bool = runner.Spec.DockerdWithinRunnerContainer != nil && *runner.Spec.DockerdWithinRunnerContainer + dockerEnabled bool = runner.Spec.DockerEnabled == nil || *runner.Spec.DockerEnabled + ephemeral bool = runner.Spec.Ephemeral == nil || *runner.Spec.Ephemeral + dockerdInRunnerPrivileged bool = dockerdInRunner ) runnerImage := runner.Spec.Image @@ -674,6 +675,15 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { r.GitHubClient.GithubBaseURL, ) + var seLinuxOptions *corev1.SELinuxOptions + if runner.Spec.SecurityContext != nil { + seLinuxOptions = runner.Spec.SecurityContext.SELinuxOptions + if seLinuxOptions != nil { + privileged = false + dockerdInRunnerPrivileged = false + } + } + pod := corev1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: runner.Name, @@ -692,7 +702,7 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { EnvFrom: runner.Spec.EnvFrom, SecurityContext: &corev1.SecurityContext{ // Runner need to run privileged if it contains DinD - Privileged: runner.Spec.DockerdWithinRunnerContainer, + Privileged: &dockerdInRunnerPrivileged, }, Resources: runner.Spec.Resources, }, @@ -821,7 +831,8 @@ func (r *RunnerReconciler) newPod(runner v1alpha1.Runner) (corev1.Pod, error) { }, }, SecurityContext: &corev1.SecurityContext{ - Privileged: &privileged, + Privileged: &privileged, + SELinuxOptions: seLinuxOptions, }, Resources: runner.Spec.DockerdContainerResources, })