Add fsGroupChangePolicy option to Kubernetes backend (#5416)

Co-authored-by: Lilly Sell <sell@b1-systems.de>
2025-09-02 11:30:23 +00:00 · 2025-08-15 10:28:38 +02:00
parent 8912f8989c
commit dc7795e64b
4 changed files with 41 additions and 24 deletions
--- a/docs/docs/30-administration/10-configuration/11-backends/20-kubernetes.md
+++ b/docs/docs/30-administration/10-configuration/11-backends/20-kubernetes.md
@@ -250,6 +250,15 @@ backend_options:
        localhostProfile: k8s-apparmor-example-deny-write
 ```

+or configure a specific `fsGroupChangePolicy` (Kubernetes defaults to 'Always')
+
+```yaml
+backend_options:
+  kubernetes:
+    securityContext:
+      fsGroupChangePolicy: OnRootMismatch
+```
+
 :::note
 The feature requires Kubernetes v1.30 or above.
 :::
--- a/pipeline/backend/kubernetes/backend_options.go
+++ b/pipeline/backend/kubernetes/backend_options.go
@@ -2,6 +2,7 @@ package kubernetes

 import (
 	"github.com/go-viper/mapstructure/v2"
+	v1 "k8s.io/api/core/v1"

 	backend "go.woodpecker-ci.org/woodpecker/v3/pipeline/backend/types"
 )
@@ -55,6 +56,7 @@ type SecurityContext struct {
 	RunAsUser           *int64                     `mapstructure:"runAsUser"`
 	RunAsGroup          *int64                     `mapstructure:"runAsGroup"`
 	FSGroup             *int64                     `mapstructure:"fsGroup"`
+	FsGroupChangePolicy *v1.PodFSGroupChangePolicy `mapstructure:"fsGroupChangePolicy"`
 	SeccompProfile      *SecProfile                `mapstructure:"seccompProfile"`
 	ApparmorProfile     *SecProfile                `mapstructure:"apparmorProfile"`
 }
--- a/pipeline/backend/kubernetes/pod.go
+++ b/pipeline/backend/kubernetes/pod.go
@@ -466,6 +466,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
 		user                *int64
 		group               *int64
 		fsGroup             *int64
+		fsGroupChangePolicy *v1.PodFSGroupChangePolicy
 		seccomp             *v1.SeccompProfile
 		apparmor            *v1.AppArmorProfile
 	)
@@ -505,6 +506,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s

 		seccomp = seccompProfile(sc.SeccompProfile)
 		apparmor = apparmorProfile(sc.ApparmorProfile)
+		fsGroupChangePolicy = sc.FsGroupChangePolicy
 	}

 	if nonRoot == nil && user == nil && group == nil && fsGroup == nil && seccomp == nil && apparmor == nil {
@@ -516,6 +518,7 @@ func podSecurityContext(sc *SecurityContext, secCtxConf SecurityContextConfig, s
 		RunAsUser:           user,
 		RunAsGroup:          group,
 		FSGroup:             fsGroup,
+		FSGroupChangePolicy: fsGroupChangePolicy,
 		SeccompProfile:      seccomp,
 		AppArmorProfile:     apparmor,
 	}
--- a/pipeline/backend/kubernetes/pod_test.go
+++ b/pipeline/backend/kubernetes/pod_test.go
@@ -293,6 +293,7 @@ func TestFullPod(t *testing.T) {
 				"runAsGroup": 101,
 				"runAsNonRoot": true,
 				"fsGroup": 101,
+				"fsGroupChangePolicy": "OnRootMismatch",
 				"appArmorProfile": {
 					"type": "Localhost",
 					"localhostProfile": "k8s-apparmor-example-deny-write"
@@ -348,12 +349,14 @@ func TestFullPod(t *testing.T) {
 		{Number: 2345, Protocol: "tcp"},
 		{Number: 3456, Protocol: "udp"},
 	}
+	fsGroupChangePolicy := v1.PodFSGroupChangePolicy("OnRootMismatch")
 	secCtx := SecurityContext{
 		Privileged:          newBool(true),
 		RunAsNonRoot:        newBool(true),
 		RunAsUser:           newInt64(101),
 		RunAsGroup:          newInt64(101),
 		FSGroup:             newInt64(101),
+		FsGroupChangePolicy: &fsGroupChangePolicy,
 		SeccompProfile: &SecProfile{
 			Type:             "Localhost",
 			LocalhostProfile: "profiles/audit.json",