Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dockerEnabled for Stricter Clusters like OpenShift #96

Closed
wants to merge 1 commit into from
Closed

dockerEnabled for Stricter Clusters like OpenShift #96

wants to merge 1 commit into from

Conversation

onelapahead
Copy link
Contributor

@onelapahead onelapahead commented Sep 14, 2020
edited

Opening a draft while I test this out.

Motivation

I would like it so my users can make Runners without Docker access since on OpenShift that requires a SecurityContextConstraints. Other K8s clusters might require a PodSecurityPolicy instead FWIW.

Desired Experience

If users attempt to make a Runner with dockerEnabled: true and they don't have an SCC for the ServiceAccount they specified using serviceAccountName it will fail to create a pod and this is reflected in the Runner's status (this already occurs today without the dockerEnabled option).

If dockerEnabled: false is set, the user will then be able to have Runners create Pods without having to make an SCC/PSP because the Docker sidecar and volumes are omitted.

@Hi-Fi
Copy link
Contributor

Hi-Fi commented Oct 22, 2020

Isn't this same than new setting dockerdWithinRunnerContainer?

@Warashi
Copy link
Contributor

Warashi commented Nov 12, 2020

when set dockerdWithinRunnerContainer true, runner container runs with privileged.
this PR maybe useful for users who doesn't need docker and want not to run privileged container.

@Warashi
Copy link
Contributor

Warashi commented Nov 15, 2020

@hfuss
Do you have motivation to continue this PR?
If you don't, I will send PR doing same as this.

@onelapahead
Copy link
Contributor Author

@Warashi I've had to put this down so please go ahead! Thank you for asking.

Will happily review and QA when it's ready.

@Warashi Warashi mentioned this pull request Nov 16, 2020
Merged
mumoshu pushed a commit that referenced this pull request Nov 16, 2020
@Warashi
add dockerEnabled option (#191)
4371de9 
Add dockerEnabled option for users who does not need docker and want not to run privileged container.
if `dockerEnabled == false`, dind container not run, and there are no privileged container.

Do the same as closed #96
@mumoshu
Copy link
Collaborator

mumoshu commented Nov 16, 2020

@hfuss #191 has been released as a part of v0.12.0. Would you mind giving it a shot?

Thanks for the PR @Warashi!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mumoshu mumoshu Awaiting requested review from mumoshu mumoshu will be requested when the pull request is marked ready for review mumoshu is a code owner

@toast-gear toast-gear Awaiting requested review from toast-gear toast-gear will be requested when the pull request is marked ready for review toast-gear is a code owner

@nikola-jokic nikola-jokic Awaiting requested review from nikola-jokic nikola-jokic will be requested when the pull request is marked ready for review nikola-jokic is a code owner

@rentziass rentziass Awaiting requested review from rentziass rentziass will be requested when the pull request is marked ready for review rentziass is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@onelapahead @Hi-Fi @Warashi @mumoshu