gitea runner improvements

infrastructure/gitea/actions.deployment.yaml

@@ -12,6 +12,7 @@ spec:
         app: actions-runner
     spec:
       hostname: kube-runner
+      serviceAccountName: actions-runner
       containers:
       - name: actions-runner
         image: actions-runner
@@ -29,3 +30,10 @@ spec:
               key: runner-token
         - name: GITEA_RUNNER_LABELS
           value: k8s
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+      volumes:
+      - name: runner-data
+        emptyDir: {}
+

infrastructure/gitea/actions.rbac.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: actions-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: actions-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["get", "create"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get", "list", "watch",]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "list", "create", "delete"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: actions-role-binding
+subjects:
+- kind: ServiceAccount
+  name: actions-runner
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: actions-role
+  apiGroup: rbac.authorization.k8s.io

infrastructure/gitea/kustomization.yaml

@@ -10,6 +10,8 @@ resources:
   - drone-server.sealedsecret.yaml
   - actions.deployment.yaml
   - actions.sealedsecret.yaml
+  - actions.rbac.yaml
+
 
 namespace: gitea