actions/actions-runner-controller
1
0
Fork 0
mirror of https://github.com/actions/actions-runner-controller.git synced 2025-12-10 11:41:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Do not explicitly set Privileged to false. (#2009)

Browse Source 
Setting SecurityContext.Privileged bit to false, which is default,
prevents GKE from admitting Windows pods.  Privileged bit is not
supported on Windows.
This commit is contained in:
Igor Sarkisov
2022-11-14 18:29:37 -08:00
committed by GitHub
parent 40eec3c783
commit 8f374d561f
2 changed files with 8 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
controllers/new_runner_pod_test.go
View File

@@ -160,9 +160,7 @@ func TestNewRunnerPod(t *testing.T) {
},
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Privileged: func() *bool { v := false; return &v }(),
},
SecurityContext: &corev1.SecurityContext{},
},
{
Name: "docker",
@@ -366,9 +364,7 @@ func TestNewRunnerPod(t *testing.T) {
},
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Privileged: boolPtr(false),
},
SecurityContext: &corev1.SecurityContext{},
},
},
RestartPolicy: corev1.RestartPolicyNever,
@@ -690,9 +686,7 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) {
},
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Privileged: func() *bool { v := false; return &v }(),
},
SecurityContext: &corev1.SecurityContext{},
},
{
Name: "docker",
@@ -930,9 +924,7 @@ func TestNewRunnerPodFromRunnerController(t *testing.T) {
},
},
ImagePullPolicy: corev1.PullAlways,
SecurityContext: &corev1.SecurityContext{
Privileged: boolPtr(false),
},
SecurityContext: &corev1.SecurityContext{},
},
},
RestartPolicy: corev1.RestartPolicyNever,

10
controllers/runner_controller.go
View File

@@ -849,10 +849,6 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru
runnerContainerIndex = -1
runnerContainer = &corev1.Container{
Name: containerName,
SecurityContext: &corev1.SecurityContext{
// Runner need to run privileged if it contains DinD
Privileged: &dockerdInRunnerPrivileged,
},
}
}
@@ -887,8 +883,10 @@ func newRunnerPodWithContainerMode(containerMode string, template corev1.Pod, ru
runnerContainer.SecurityContext = &corev1.SecurityContext{}
}
if runnerContainer.SecurityContext.Privileged == nil {
// Runner need to run privileged if it contains DinD
// Runner need to run privileged if it contains DinD.
// Do not explicitly set SecurityContext.Privileged to false which is default,
// otherwise Windows pods don't get admitted on GKE.
if dockerdInRunnerPrivileged {
runnerContainer.SecurityContext.Privileged = &dockerdInRunnerPrivileged
}