gitea-runner: secure with rootless
This commit is contained in:
@@ -7,7 +7,7 @@ data:
|
|||||||
log:
|
log:
|
||||||
level: info
|
level: info
|
||||||
runner:
|
runner:
|
||||||
file: .runner
|
file: /data/.runner
|
||||||
capacity: 1
|
capacity: 1
|
||||||
env_file: .env
|
env_file: .env
|
||||||
timeout: 3h
|
timeout: 3h
|
||||||
|
|||||||
@@ -16,24 +16,35 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
app: act-runner
|
app: act-runner
|
||||||
spec:
|
spec:
|
||||||
containers:
|
initContainers:
|
||||||
- name: runner
|
- name: sysctl
|
||||||
|
image: busybox
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
command:
|
command:
|
||||||
- sh
|
- sh
|
||||||
- -c
|
- -c
|
||||||
- while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
|
- echo 28633 > /proc/sys/user/max_user_namespaces
|
||||||
sleep 5; done; /sbin/tini -- run.sh
|
- name: chown-data
|
||||||
image: gitea/act_runner:nightly
|
image: busybox
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- chown -R 1000:1000 /data
|
||||||
|
volumeMounts:
|
||||||
|
- name: runner-data
|
||||||
|
mountPath: /data
|
||||||
|
containers:
|
||||||
|
- name: runner
|
||||||
|
image: gitea/act_runner:nightly-dind-rootless
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: Always
|
||||||
env:
|
env:
|
||||||
- name: CONFIG_FILE
|
- name: CONFIG_FILE
|
||||||
value: /config/config.yaml
|
value: /config/config.yaml
|
||||||
- name: DOCKER_HOST
|
- name: DOCKER_HOST
|
||||||
value: tcp://localhost:2376
|
value: unix:///run/user/1000/docker.sock
|
||||||
- name: DOCKER_CERT_PATH
|
|
||||||
value: /certs/client
|
|
||||||
- name: DOCKER_TLS_VERIFY
|
|
||||||
value: "1"
|
|
||||||
- name: GITEA_INSTANCE_URL
|
- name: GITEA_INSTANCE_URL
|
||||||
value: https://git.dubyatp.xyz
|
value: https://git.dubyatp.xyz
|
||||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||||
@@ -41,34 +52,20 @@ spec:
|
|||||||
secretKeyRef:
|
secretKeyRef:
|
||||||
key: registration-token
|
key: registration-token
|
||||||
name: gitea-runner-token
|
name: gitea-runner-token
|
||||||
terminationMessagePath: /dev/termination-log
|
|
||||||
terminationMessagePolicy: File
|
|
||||||
volumeMounts:
|
|
||||||
- name: runner-config
|
|
||||||
mountPath: /config
|
|
||||||
- name: docker-certs
|
|
||||||
mountPath: /certs
|
|
||||||
- name: runner-data
|
|
||||||
mountPath: /data
|
|
||||||
- name: daemon
|
|
||||||
env:
|
|
||||||
- name: DOCKER_TLS_CERTDIR
|
|
||||||
value: /certs
|
|
||||||
image: docker:23.0.6-dind
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
terminationMessagePath: /dev/termination-log
|
terminationMessagePath: /dev/termination-log
|
||||||
terminationMessagePolicy: File
|
terminationMessagePolicy: File
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /certs
|
- name: runner-config
|
||||||
name: docker-certs
|
mountPath: /config
|
||||||
|
- name: runner-data
|
||||||
|
mountPath: /data
|
||||||
dnsPolicy: ClusterFirst
|
dnsPolicy: ClusterFirst
|
||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
schedulerName: default-scheduler
|
schedulerName: default-scheduler
|
||||||
terminationGracePeriodSeconds: 30
|
terminationGracePeriodSeconds: 30
|
||||||
volumes:
|
volumes:
|
||||||
- name: docker-certs
|
|
||||||
- name: runner-config
|
- name: runner-config
|
||||||
configMap:
|
configMap:
|
||||||
name: runner-config
|
name: runner-config
|
||||||
|
|||||||
Reference in New Issue
Block a user