Kubernetes | Docker: Add support for rootless images (#4151)

2025-09-02 00:58:22 +00:00 · 2024-11-02 18:07:27 +01:00
parent 0b4654586f
commit 560eab96f0
13 changed files with 135 additions and 114 deletions
--- a/pipeline/backend/kubernetes/pod.go
+++ b/pipeline/backend/kubernetes/pod.go
@@ -31,8 +31,9 @@ import (
 )

 const (
-	StepLabel = "step"
-	podPrefix = "wp-"
+	StepLabel            = "step"
+	podPrefix            = "wp-"
+	defaultFSGroup int64 = 1000
 )

 func mkPod(step *types.Step, config *config, podName, goos string, options BackendOptions) (*v1.Pod, error) {
@@ -182,7 +183,7 @@ func podContainer(step *types.Step, podName, goos string, options BackendOptions
 	container := v1.Container{
 		Name:            podName,
 		Image:           step.Image,
-		WorkingDir:      step.WorkingDir,
+		WorkingDir:      step.WorkspaceBase,
 		Ports:           containerPorts(step.Ports),
 		SecurityContext: containerSecurityContext(options.SecurityContext, step.Privileged),
 	}
@@ -389,6 +390,9 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
 	if secCtxConf.RunAsNonRoot {
 		nonRoot = newBool(true)
 	}
+	if secCtxConf.FSGroup != nil {
+		fsGroup = secCtxConf.FSGroup
+	}

 	if sc != nil {
 		// only allow to set user if its not root or step is privileged
@@ -406,6 +410,11 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
 			fsGroup = sc.FSGroup
 		}

+		// if unset, set fsGroup to 1000 by default to support non-root images
+		if sc.FSGroup != nil {
+			fsGroup = sc.FSGroup
+		}
+
 		// only allow to set nonRoot if it's not set globally already
 		if nonRoot == nil && sc.RunAsNonRoot != nil {
 			nonRoot = sc.RunAsNonRoot