chore(installation): add drop capabilities flag docs (#355)

Co-authored-by: David May <49894298+wass3rw3rk@users.noreply.github.com>
go-vela · Apr 25, 2023 · ef23e0f · ef23e0f
1 parent c479b4a
commit ef23e0f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/content/installation/worker/reference/_index.md b/content/installation/worker/reference/_index.md
@@ -269,6 +269,14 @@ The variable can be provided as a comma-separated `list` (i.e. `myImage1,myImage
 Please use with caution. This setting essentially grants any defined image root access to the host machine.
 {{% /alert %}}
 
+### VELA_RUNTIME_DROP_CAPABILITIES
+
+This configuration variable is used by the [runtime component](/docs/installation/worker/reference/runtime/) for the worker.
+
+This variable leverages the [`--cap-drop` Docker run flag](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) to disable certain kernel capabilities given to the container by default.
+
+This variable can be provided as a comma-separated `list` (e.g. `CAP_CHOWN,CAP_DAC_OVERRIDE`). There is some validation in place to ensure accurate capabilities are provided.
+
 ### VELA_RUNTIME_VOLUMES
 
 This configuration variable is used by the [runtime component](/docs/installation/worker/reference/runtime/) for the worker.

diff --git a/content/installation/worker/reference/runtime.md b/content/installation/worker/reference/runtime.md
@@ -21,6 +21,7 @@ The following options are used to configure the component:
 | `runtime.pods-template-name` | name of the PipelinePodsTemplate to retrieve from the `runtime.namespace` (only for kubernetes) | `false`  | `N/A`                    | `RUNTIME_PODS_TEMPLATE_NAME`<br>`VELA_RUNTIME_PODS_TEMPLATE_NAME` |
 | `runtime.pods-template-file` | path to local fallback file containing a PipelinePodsTemplate in YAML (only for kubernetes)     | `false`  | `N/A`                    | `RUNTIME_PODS_TEMPLATE_FILE`<br>`VELA_RUNTIME_PODS_TEMPLATE_FILE` |
 | `runtime.privileged-images`  | images allowed to run in privileged mode for the runtime                                        | `false`  | `[ ]` | `RUNTIME_PRIVILEGED_IMAGES`<br>`VELA_RUNTIME_PRIVILEGED_IMAGES`   |
+| `runtime.drop-capabilities`  | kernel capabilities to be dropped from each running container                                   | `false`  | `N/A`                    | `RUNTIME_DROP_CAPABILITIES`<br>`VELA_RUNTIME_DROP_CAPABILITIES`   |
 | `runtime.volumes`            | path to host volumes to mount into resources for the runtime                                    | `false`  | `N/A`                    | `RUNTIME_VOLUMES`<br>`VELA_RUNTIME_VOLUMES`                       |
 
 {{% alert title="Note:" color="primary" %}}