Add support for giving kubernetes mode scaleset service account additional permissions

charts/gha-runner-scale-set/templates/kube_mode_role.yaml

@@ -36,21 +36,24 @@ metadata:
   finalizers:
     - actions.github.com/cleanup-protection
 rules:
-- apiGroups: [""]
+  - apiGroups: [""]
     resources: ["pods"]
     verbs: ["get", "list", "create", "delete"]
-- apiGroups: [""]
+  - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["get", "create"]
-- apiGroups: [""]
+  - apiGroups: [""]
     resources: ["pods/log"]
     verbs: ["get", "list", "watch",]
 {{- if ne $containerMode.type "kubernetes-novolume" }}
-- apiGroups: ["batch"]
+  - apiGroups: ["batch"]
     resources: ["jobs"]
     verbs: ["get", "list", "create", "delete"]
 {{- end }}
-- apiGroups: [""]
+  - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "list", "create", "delete"]
+{{- with $containerMode.kubernetesModeAdditionalRoleRules}}
+{{- toYaml . | nindent 2}}
+{{- end }}
 {{- end }}

charts/gha-runner-scale-set/tests/values_k8s_extra_role_rules.yaml

@@ -0,0 +1,30 @@
+githubConfigUrl: https://github.com/actions/actions-runner-controller
+githubConfigSecret:
+  github_token: test
+template:
+  spec:
+    containers:
+      - name: other
+        image: other-image:latest
+    volumes:
+      - name: foo
+        emptyDir: {}
+      - name: bar
+        emptyDir: {}
+      - name: work
+        hostPath:
+          path: /data
+          type: Directory
+containerMode:
+  type: kubernetes
+  kubernetesModeAdditionalRoleRule:
+    - apiGroups:
+        - apps
+      resources:
+        - deployments
+      verbs:
+        - get
+        - list
+        - create
+        - delete
+

charts/gha-runner-scale-set/values.yaml

@@ -124,6 +124,7 @@ githubConfigSecret:
 #     resources:
 #       requests:
 #         storage: 1Gi
+#   kubernetesModeAdditionalRoleRules: []
 #
 
 ## listenerTemplate is the PodSpec for each listener Pod