mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2026-05-04 12:32:36 +00:00
85c71fb01e
### Problem When the working directory is set to a directory that doesn't exists (for example, as `plugin-git` does), kubelet will pre-create it with ownership set to `root:root` and permissions `0755` . This makes pods running as non-root unable to write to it, causing permission errors. ### Solution Added a `podInitContainer` function that conditionally creates an init container to pre-create the working directory with the correct permissions before the main step container starts. ### Behavior - If the pod runs as root (`RunAsUser == 0` or unset), no init container is created. Kubelet handles directory creation automatically - If the working directory matches a volume mount path exactly, no init container is needed. `FSGroupChangePolicy` handles permissions - An init container is only created when the working directory is nested within a volume mount path - The init container uses `busybox:stable-musl` with minimal resource limits (5m CPU, 5Mi memory) and drops all capabilities. ### Related issues and PRs - Solves the error mentioned in https://github.com/woodpecker-ci/woodpecker/issues/5346#issuecomment-3211408746 without requiring a previous step. - In addition to #6307 and #6310, this will make it easier to run woodpecker ci workloads in a namespace that enforces [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/)