Kubernetes: precreate workingDir as nonroot when required

[Aex12]

Problem

When the working directory is set to a directory that doesn't exists (for example, as plugin-git does), kubelet will pre-create it with ownership set to root:root and permissions 0755 . This makes pods running as non-root unable to write to it, causing permission errors.

Solution

Added a podInitContainer function that conditionally creates an init container to pre-create the working directory with the correct permissions before the main step container starts.

Behavior

• If the pod runs as root (RunAsUser == 0 or unset), no init container is created. Kubelet handles directory creation automatically
• If the working directory matches a volume mount path exactly, no init container is needed. FSGroupChangePolicy handles permissions
• An init container is only created when the working directory is nested within a volume mount path
• The init container uses busybox:stable-musl with minimal resource limits (5m CPU, 5Mi memory) and drops all capabilities.

Related issues and PRs

• Solves the error mentioned in Kubernetes: de-privileging the clone step #5346 (comment) without requiring a previous step.
• In addition to Kubernetes: Support allowPrivilegeEscalation and capabilities backend_options #6307 and Kubernetes: add instance-wide default and enforced Security Context #6310, this will make it easier to run woodpecker ci workloads in a namespace that enforces Pod Security Standards

[Aex12]

Hi @6543, what do you think about this alternative approach to #6312 for allowing the clone step to run unprivileged?

This approach is more self contained to kubernetes only, so other backends remain unaffected.

This PR doesn't cover the home issue mentioned in that PR, but still improves the experience of running woodpecker workloads in unprivileged namespaces in Kubernetes.

As an example, with this PR changes (in addition to #6322 and #6307) it's possible to run the clone step completely unprivileged by setting the following agent env vars:

WOODPECKER_BACKEND_K8S_DEFAULT_SECCTX='{"runAsUser":1000,"runAsGroup":1000,"fsGroup":1000,"fsGroupChangePolicy": "OnRootMismatch"}'
WOODPECKER_BACKEND_K8S_ENFORCED_SECCTX='{"privileged":false,"runAsNonRoot":true,"allowPrivilegeEscalation":false,"seccompProfile": {"type": "RuntimeDefault"}, "capabilities": {"drop": ["ALL"]}}'

And using this workflow:

clone:
  git:
    image: docker.io/woodpeckerci/plugin-git
    settings:
      depth: 0
      home: "/tmp"

steps:
  - name: check-clone-succeeded
    image: alpine
    commands:
      - pwd
      - ls -lah

Not as convenient as if home was set to /tmp by default, as it wouldn't require additional changes to the workflow, but still a step forward in making the Kubernetes backend in unprivileged mode more convenient to use.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.12%. Comparing base (52ed3f1) to head (cf59c3c).
⚠️ Report is 24 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6322      +/-   ##
==========================================
- Coverage   41.29%   41.12%   -0.18%     
==========================================
  Files         431      431              
  Lines       28792    28821      +29     
==========================================
- Hits        11890    11852      -38     
- Misses      15836    15899      +63     
- Partials     1066     1070       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Aex12]

I took the opportunity to rebase from main to make merging easier

[6543]

@Aex12 thanks for the work ... took us some time to get reviewed :)