Skip to content

Add new job-agent-mode flag #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
derek-etherton-opslevel merged 4 commits into from
Dec 10, 2025
Merged

Add new job-agent-mode flag #269

derek-etherton-opslevel merged 4 commits into from
Dec 10, 2025

Conversation

@derek-etherton-opslevel
Copy link
Contributor

@derek-etherton-opslevel derek-etherton-opslevel commented Dec 10, 2025
edited
Loading

Test plan

  1. cd src -> go build -o /tmp/opslevel-runner-local
  2. Update OpsLevel .opslevel-runner.env.local to have OPSLEVEL_RUNNER_PATH=/tmp/opslevel-runner-local
  3. pull down the corresponding OpsLevel branch
  4. restart ./bin/dev-server
  5. kick off a job

Changelog

  • List your changes here
  • Make a changie entry

Tophatting

derek-etherton-opslevel
derek-etherton-opslevel commented Dec 10, 2025
View reviewed changes
src/pkg/k8s.go Outdated
}

func isCodingAgentJob(job opslevel.RunnerJob) bool {
return strings.Contains(job.Image, "coding-agent")
Copy link
Contributor Author

@derek-etherton-opslevel derek-etherton-opslevel Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think I'm going to set this to the exact image name/version before pushing up. So that our release sequence will be:

  1. Merge opslevel-containers MR with new image
  2. update this branch to have that exact image name, then merge this
    a. At this stage, runner behaviour is unchanged for existing opslevel codebase
  3. Now bump the image in OpsLevel monolith - then runner will run it with privileges
    a. we can test on staging at this point
  4. Circle back and change this opslevel-runner check back to coding-agent more generically

Basically want to avoid the current non-containerized version running in privileged mode. Open to other ideas!

@derek-etherton-opslevel derek-etherton-opslevel force-pushed the 14161-coding-agent-permissions branch from f0c5be1 to 5f6d11a Compare December 10, 2025 15:15
derek-etherton-opslevel
derek-etherton-opslevel commented Dec 10, 2025
View reviewed changes
src/pkg/k8s.go
var containerSecurityContext *corev1.SecurityContext
if isCodingAgent {
// Coding agent jobs need privileged mode for creating containers within container
privileged := true
Copy link
Contributor Author

@derek-etherton-opslevel derek-etherton-opslevel Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have an existing network policy for runner-jobs blocking egress to internal networks: https://gitlab.com/jklabsinc/opslevel-kubernetes/-/tree/main/clusters/new-prod-runners/runner-jobs?ref_type=heads

@derek-etherton-opslevel derek-etherton-opslevel force-pushed the 14161-coding-agent-permissions branch from 1e28d55 to 0bce102 Compare December 10, 2025 17:22
derek-etherton-opslevel
derek-etherton-opslevel commented Dec 10, 2025
View reviewed changes
src/cmd/root.go
rootCmd.PersistentFlags().String("job-pod-workdir", "/jobs", "The job pod working directory.")
rootCmd.PersistentFlags().Int("job-pod-log-max-interval", 30, "The max amount of time between when pod logs are shipped to OpsLevel. Works in tandem with 'job-pod-log-max-size'")
rootCmd.PersistentFlags().Int("job-pod-log-max-size", 1000000, "The max amount in bytes to buffer before pod logs are shipped to OpsLevel. Works in tandem with 'job-pod-log-max-interval'")
rootCmd.PersistentFlags().Bool("job-agent-mode", false, "Enable agent mode with privileged security context for Container-in-Container support. WARNING: This grants elevated privileges and should only be enabled for trusted workloads.")
Copy link
Contributor Author

@derek-etherton-opslevel derek-etherton-opslevel Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now that we're using a job arg, we can be oober confident that nothing will use this mode until we explicitly add it to opslevel-kubernetes 👍

so sequencing will be:

  1. ship new image to ECR (done)
  2. ship this PR - no effect since flag isn't used
  3. Test on staging, then ship the OpsLevel MR
  4. Once changes are live, fast follow with an opslevel-kubernetes MR adding the --job-agent-mode flag
    a. since the feature isn't "on" yet we can get away with this teeny gap.

@derek-etherton-opslevel derek-etherton-opslevel changed the title Add privileged security context for coding-agent jobs Add new job-agent-mode flag for container-in-container management Dec 10, 2025
@derek-etherton-opslevel derek-etherton-opslevel changed the title Add new job-agent-mode flag for container-in-container management Add new job-agent-mode flag Dec 10, 2025
@derek-etherton-opslevel derek-etherton-opslevel merged commit 5eb0b0b into main Dec 10, 2025
4 checks passed
@derek-etherton-opslevel derek-etherton-opslevel deleted the 14161-coding-agent-permissions branch December 10, 2025 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonopslevel jasonopslevel jasonopslevel approved these changes

Assignees

@derek-etherton-opslevel derek-etherton-opslevel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@derek-etherton-opslevel @jasonopslevel