The Buildah/Podman Actions Runner extends the base runner to include Buildah, Podman, and the dependencies they need to run in a rootless, containerized environment.
In order for OpenShift containers to run Buildah and Podman, the user or ServiceAccount that deploys the pod must have permission to deploy using the anyuid SecurityContextConstraint (SCC).
Buildah has a very good tutorial detailing how to run buildah in OpenShift.
You can also refer to the OpenShift documentation Managing Security Context Constraints, and this blog post.
It is recommended to deploy the pod using a ServiceAccount specifically configured to have the required permissions. An administrator must run:
# Create the ServiceAccount (if needed)
$ oc create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: buildah-sa
EOF
serviceaccount/buildah-sa created
# Give the ServiceAccount permission to deploy with the anyuid scc.
$ oc adm policy add-scc-to-user anyuid -z buildah-saThen, when using the Helm chart to install buildah runners, you can pass --set serviceAccountName=buildah-sa
Or, an adminstrator can give a specific user permission:
oc adm policy add-scc-to-user anyuid <user>
podman run doesn't work unless the pod is created with the privileged SCC.
If you need to use podman run, run the oc adm policy commands as above, but substitute privileged for anyuid.