actions / runner-container-hooks

Runner Container Hooks for GitHub Actions
MIT License
76 stars 46 forks source link

Support for securityContext for Pod's created by the k8s hook #33

Closed nvnoorloos closed 1 year ago

nvnoorloos commented 2 years ago

Hello!

We are using ARC with 'containerMode: kubernetes' to avoid Docker in Docker for our self-hosted runners. Thank you for this project, it helps us a lot :)

In our environment we have a strict Open Policy Agent rule that requires that every container is run as non-root. For the runners itself we can configure a 'securityContext' with options like 'runAsUser' but for the workflow pods that are created by the k8s hook we are not able to configure such behaviour. Therefore we are not able to use Docker images without an explicit USER statement.

We are not sure if this is the correct place to discuss this kind of extensions, maybe it's more ARC related?

nikola-jokic commented 2 years ago

Hey @nvnoorloos,

Thank you for your kind words! Yes, this is the right place to submit this issue :relaxed:. The idea of the container hooks is to provide you with a way you can customize how your hooks can behave. The implementation provides usecases that you most likely need. For customizing it, you can clone this repository and change anything you want.

On the other hand, that would require changes in the Dockerfile that is used to build a runner image (by default, it will pull the latest release of the hook), which will be later used in the cluster. Files are stored in the /runner/k8s directory and in case of using containerMode: kubernetes, the controller will set an environment variable telling the runner where is the location of the hook. So when you customize it, make sure the files are stored there :relaxed:

However, I will bring this issue to our team.

nikola-jokic commented 1 year ago

Closing this issue because we added a hook extension in 0.4.0 release :relaxed: