Privileged workflows using KubeVirt

[chriscarpenter12]

There's been a few issues/discussions opened about privileged workflows being ran and how to best isolate them. Some suggesting Sysbox using a new RuntimeClassName, but this doesn't really work for those running on a platform like OpenShift. Currently the two supported modes with ARC are dind and k8s. Without either being run with privileged: true it's not possible to take a workflow that runs in GitHub Actions cloud using sudo or apt for dependency installation and run it here. Having privileged enabled on the pods is a no-go in a lot of environments (including ours).

With the introduction of Hooks could a new mode be created to support running an isolated workflow using KubeVirt?

I've done some minimal testing and it's possible to create a VirtualMachineInstance using an ephemeral qcow2 containerdisk created with Packer the same way the cloud runner-images are created for Azure.

I think it really comes down to coordination of the management of the jobs. Should the the runner pod that executes the hook be responsible for dispatching each step script similar to how it does in the k8s mode or could the EphemeralRunner spawn a VirtualMachineInstance directly that has the runner preinstalled?

With running an ephemeral VM it would also allow ARC to support Windows workloads as well.

[simonjohansson]

Being able to spawn VirtualMachineInstance would be amazing!