wip: Mon Nov 18 18:19:11 +03 2024

codefresh-io · Nov 18, 2024 · 468de3e · 468de3e
1 parent 7e955c4
commit 468de3e
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 18 deletions.
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -727,10 +727,12 @@ volumeProvisioner:
     image:
       tag: 1.30.0-rootless
       digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
-    podSecurityContext:
-      enabled: true
+    containerSecurityContext:
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
+      # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+      fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes
     volumePermissions:
       enabled: false
@@ -746,15 +748,15 @@ runtime:
         mountPath: /home/rootless/
     containerSecurityContext:
       privileged: true
-    podSecurityContext:
-      enabled: true
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
       # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
       fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /home/rootless in DinD pod
+    # !!! Will slow down dind pod startup
     volumePermissions:
-      enabled: false
+      enabled: true
 ```
 
 ### ARM

diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -729,10 +729,12 @@ volumeProvisioner:
     image:
       tag: 1.30.0-rootless
       digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
-    podSecurityContext:
-      enabled: true
+    containerSecurityContext:
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
+      # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+      fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes
     volumePermissions:
       enabled: false
@@ -748,15 +750,15 @@ runtime:
         mountPath: /home/rootless/
     containerSecurityContext:
       privileged: true
-    podSecurityContext:
-      enabled: true
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
       # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
       fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /home/rootless in DinD pod
+    # !!! Will slow down dind pod startup
     volumePermissions:
-      enabled: false
+      enabled: true
 ```
 
 ### ARM

diff --git a/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml b/charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml
@@ -37,7 +37,7 @@ spec:
         args:
          - -ec
          - |
-           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+           chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
         volumeMounts:
         - mountPath: {{ $localVolumeParentDir }}
           name: dind-volume-dir
@@ -95,4 +95,4 @@ spec:
         {{- toYaml . | nindent 6 }}
       {{- end }}
 {{- end }}
-{{- end -}}
+{{- end -}}
diff --git a/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml b/charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml
@@ -199,7 +199,7 @@ dockerDaemonScheduler:
     args:
       - -ec
       - |
-        chown -R {{ $dindContext.podSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker
+        chown -R {{ $dindContext.containerSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker
     volumeMounts:
     - mountPath: /home/rootless/.local/share/docker
       name: dind

diff --git a/charts/cf-runtime/values-rootless.yaml b/charts/cf-runtime/values-rootless.yaml
@@ -6,10 +6,12 @@ volumeProvisioner:
     image:
       tag: 1.30.0-rootless
       digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
-    podSecurityContext:
-      enabled: true
+    containerSecurityContext:
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
+      # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+      fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes
     volumePermissions:
       enabled: false
@@ -25,12 +27,12 @@ runtime:
         mountPath: /home/rootless/
     containerSecurityContext:
       privileged: true
-    podSecurityContext:
-      enabled: true
       runAsUser: 1000
+    podSecurityContext:
       fsGroup: 1000
       # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
       fsGroupChangePolicy: "OnRootMismatch"
     # -- Enable initContainer to run chmod for /home/rootless in DinD pod
+    # !!! Will slow down dind pod startup
     volumePermissions:
-      enabled: false
+      enabled: true