Update podSecurityContext for runner config

e1e828ff · Robert Massey · 4515659e · e1e828ff · e1e828ff · e1e828ff
Commit e1e828ff authored 1 year ago by Robert Massey
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.52.0-bb.4] - 2023-09-07
+### Changed
+- Update podSecurityContext for runner config
+
 ## [0.52.0-bb.3] - 2023-08-31
 ### Changed
 - Update configmap to work if runAsNonRoot is set

--- a/README.md
+++ b/README.md
 # gitlab-runner

-![Version: 0.52.0-bb.3](https://img.shields.io/badge/Version-0.52.0--bb.3-informational?style=flat-square) ![AppVersion: v15.11.0](https://img.shields.io/badge/AppVersion-v15.11.0-informational?style=flat-square)
+![Version: 0.52.0-bb.4](https://img.shields.io/badge/Version-0.52.0--bb.4-informational?style=flat-square) ![AppVersion: v15.11.0](https://img.shields.io/badge/AppVersion-v15.11.0-informational?style=flat-square)

 GitLab Runner

@@ -62,7 +62,7 @@ helm install gitlab-runner chart/
 | runners.helper.registry | string | `"registry1.dso.mil"` |  |
 | runners.helper.repository | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner-helper"` |  |
 | runners.helper.tag | string | `"v15.11.0"` |  |
-| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n"` |  |
+| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n"` |  |
 | runners.locked | bool | `false` |  |
 | runners.runUntagged | bool | `true` |  |
 | runners.protected | bool | `true` |  |
@@ -77,7 +77,9 @@ helm install gitlab-runner chart/
 | securityContext.privileged | bool | `false` |  |
 | securityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | podSecurityContext.runAsUser | int | `1001` |  |
+| podSecurityContext.runAsNonRoot | bool | `true` |  |
 | podSecurityContext.fsGroup | int | `65533` |  |
+| containerSecurityContext.runAsNonRoot | bool | `true` |  |
 | containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | resources.limits.memory | string | `"256Mi"` |  |
 | resources.limits.cpu | string | `"200m"` |  |

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: gitlab-runner
-version: 0.52.0-bb.3
+version: 0.52.0-bb.4
 appVersion: v15.11.0
 description: GitLab Runner
 keywords:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -335,6 +335,9 @@ runners:
        image = "{{ printf "%s/%s:%s" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}"
        helper_image = "{{ printf "%s/%s:%s" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}"
        image_pull_secrets = ["private-registry"]
+      [runners.kubernetes.pod_security_context]
+        run_as_non_root = true
+        run_as_user = 1001
      [runners.kubernetes.pod_labels]
        "job_id" = "${CI_JOB_ID}"
        "job_name" = "${CI_JOB_NAME}"