defenseunicorns · Racer159 · Dec 11, 2024 · Dec 9, 2024 · Dec 10, 2024 · Dec 10, 2024
@@ -27,7 +27,7 @@ spec:
         port: 443
         description: "UDS Tenant Gateway Services"
 
-    {{- range .Values.customSandbox }}
+    {{- range .Values.kubernetesSandbox.additionalNetworkAllow }}
       - direction: {{ .direction }}
         selector:
           {{ .selector | toYaml | nindent 10 }}

@@ -50,7 +50,7 @@ spec:
     {{- end }}
 
       # Custom rules for unanticipated scenarios
-    {{- range .Values.custom }}
+    {{- range .Values.additionalNetworkAllow }}
       - direction: {{ .direction }}
         selector:
           {{ .selector | toYaml | nindent 10 }}

@@ -17,11 +17,21 @@ enableSecurityCapabilities: false
 
 pluginRegistryImage: ghcr.io/defenseunicorns/uds-package-gitlab-runner/gitlab-runner-plugins:latest
 
-custom: []
-  # - direction: Egress
-  #   remoteGenerated: Anywhere
-  #   description: "Egress from to external GitLab"
-customSandbox: []
+additionalNetworkAllow: []
   # - direction: Egress
   #   remoteGenerated: Anywhere
   #   description: "Egress from to external GitLab"
+
+kubernetesSandbox:
+  namespace: "###ZARF_VAR_RUNNER_SANDBOX_NAMESPACE###"
+
+  # whether to have the Zarf Agent ignore the sandbox namespace
+  zarfIgnore: true
+
+  # whether to allow securityContext capabilities like SET_UID/SET_GID in the sandbox: https://github.com/defenseunicorns/uds-package-gitlab-runner/blob/main/docs/configuration.md#allow-setuid-and-setgid-security-capabilities
+  enableSecurityExceptions: false
+
+  additionalNetworkAllow: []
+    # - direction: Egress
+    #   remoteGenerated: Anywhere
+    #   description: "Egress from to external GitLab"
@@ -18,8 +18,8 @@ sysctl -w user.max_user_namespaces=30110
 
 Network policies are controlled via the `uds-gitlab-runner-config` chart in accordance with the [common patterns for networking within UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory/blob/main/docs/networking.md).  Because GitLab runners do not interact with external resources like databases or object storage they only implement `custom` networking for both the runner namespace and the runner sandbox namespace:
 
-- `custom`: sets custom network policies for the GitLab runner namespace - note this is _not_ where jobs run and is the orchestration side of the GitLab runner deployment.
-- `customSandbox`: sets custom network policies for the GitLab runner sandbox namespace - this is where jobs will execute and can be used to allow them to access external services.
+- `additionalNetworkAllow`: sets custom network policies for the GitLab runner namespace - note this is _not_ where jobs run and is the orchestration side of the GitLab runner deployment.
+- `additionalNetworkAllowSandbox`: sets custom network policies for the GitLab runner sandbox namespace - this is where jobs will execute and can be used to allow them to access external services.
 
 ## Runner