Run job container rootless

[98jan]

Hi,

I was able to get the gha-runner-scale-set running in rootless mode in Kubernetes with following configuration, to fullfill the pod security standards profile restricted.
But I am not able to apply the securityContext to the job container which is started, when a GitHub Action is executed, I am getting following error message:

Error: Error: failed to create job pod: pods "self-hosted-<id>-runner-<id>-workflow" is forbidden: violates PodSecurity "restricted:v1.29": allowPrivilegeEscalation != false (container "job" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "job" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "job" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "job" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

For installation I am using FluxCD and the HelmRelease looks as following:

apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: gha-runner-scale-set
  namespace: gha-runner
spec:
  chart:
    spec:
      chart: gha-runner-scale-set
      sourceRef:
        kind: HelmRepository
        name: gha-runner-scale-set
        namespace: flux-system
      version: 0.9.1
  interval: 1m0s
  values:
    # configure where the runner belongs to (repository, organization or company)
    githubConfigUrl: https://github.com/<organization-nameY
    githubConfigSecret: github-secret
    maxRunners: 3
    minRunners: 1
    runnerGroup: "<runner-group>"
    # will be interpreted as GitHub Label
    runnerScaleSetName: self-hosted
    # configure listener to match pod security standards pss (restricted profile)
    listenerTemplate:
      spec:
        containers:
          - name: listener
            securityContext:
              runAsNonRoot: true
              runAsUser: 1000
              allowPrivilegeEscalation: false
              capabilities:
                drop: [ "ALL" ]
              seccompProfile:
                type: RuntimeDefault
    # configure runner to match pod security standards pss (restricted profile)
    template:
      spec:
        securityContext:
          fsGroup: 1001
        containers:
        - name: runner
          image: ghcr.io/actions/actions-runner:latest
          command: ["/home/runner/run.sh"]
          env:
            - name: ACTIONS_RUNNER_CONTAINER_HOOKS
              value: /home/runner/k8s/index.js
            - name: ACTIONS_RUNNER_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
              value: "false"
          securityContext:
            runAsNonRoot: true
            runAsUser: 1001
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ "ALL" ]
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - name: work
              mountPath: /home/runner/_work
        # ToDo: check if with that the role permissions are automatically provisioned
        #serviceAccountName: k8s-runner-gha-rs-kube-mode
        volumes:
          - name: work
            ephemeral:
              volumeClaimTemplate:
                 spec:
                   accessModes: [ "ReadWriteOnce" ]
                   resources:
                     requests:
                       storage: 1Gi
    containerMode:
      type: Kubernetes
      kubernetesModeWorkVolumeClaim:
        accessModes: ["ReadWriteOnce"]
        # configuration not needed as default storage class is configured
        #storageClassName: "dynamic-blob-storage"
        resources:
          requests:
            storage: 1Gi
    controllerServiceAccount:
      namespace: gha-controller
      name: gha-runner-scale-set-controller-gha-rs-controller

Any help for configuring the job container to be compliant would be helpful.

Best regards,
Jan