You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My team is offering managed Kubernetes inside out company and we are working on setting up ARC in our environment to allow the developers of our company to run GitHub actions.
What our users, mostly developers, would like to have is:
Ability to run actions where the will be able to install packages (so run sudo apt-get install <package name>).
Ability build docker images , for that we are going to use kaniko and buildah.
We are currently struggle a bit with what capabilities the runner pods should have. By default in all clusters we offer we drop all capabilities and we do not allow teams run containers as root, neither allow escalation.
But this in case of github actions do not allow teams use apt-get install <package-name> in their pipelines of course, and neither kaniko/buildah works.
We said to give a try to allow use only the required capabilities , but we end up allowing too much, for example SYS_ADMIN , SETUID, SETGID, CHOWN and more...
Is there a better way to tackle this instead of just adding capabilities?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello,
My team is offering managed Kubernetes inside out company and we are working on setting up ARC in our environment to allow the developers of our company to run GitHub actions.
What our users, mostly developers, would like to have is:
sudo apt-get install <package name>
).kaniko
andbuildah
.We are currently struggle a bit with what capabilities the runner pods should have. By default in all clusters we offer we drop all capabilities and we do not allow teams run containers as root, neither allow escalation.
But this in case of github actions do not allow teams use
apt-get install <package-name>
in their pipelines of course, and neither kaniko/buildah works.We said to give a try to allow use only the required capabilities , but we end up allowing too much, for example
SYS_ADMIN , SETUID, SETGID, CHOWN
and more...Is there a better way to tackle this instead of just adding capabilities?
Beta Was this translation helpful? Give feedback.
All reactions