capabilities and securityContext for runner pods

[lefterisALEX]

Hello,

My team is offering managed Kubernetes inside out company and we are working on setting up ARC in our environment to allow the developers of our company to run GitHub actions.
What our users, mostly developers, would like to have is:

• Ability to run actions where the will be able to install packages (so run sudo apt-get install <package name>).
• Ability build docker images , for that we are going to use kaniko and buildah.

We are currently struggle a bit with what capabilities the runner pods should have. By default in all clusters we offer we drop all capabilities and we do not allow teams run containers as root, neither allow escalation.
But this in case of github actions do not allow teams use apt-get install <package-name> in their pipelines of course, and neither kaniko/buildah works.
We said to give a try to allow use only the required capabilities , but we end up allowing too much, for example SYS_ADMIN , SETUID, SETGID, CHOWN and more...

Is there a better way to tackle this instead of just adding capabilities?