No introduction found. Create it?
Install with:
helm repo add gitlab https://charts.gitlab.io/
helm install gitlab-runner gitlab/gitlab-runner -f values.yamlSee examples from other people.
| Name | Repo | Stars | Version | Timestamp |
|---|---|---|---|---|
| gitlab-runner | pascaliske/infrastructure | 73 | 0.90.1 | 7 days ago |
See the most popular values for this chart:
| Key | Types |
|---|---|
gitlabUrl (6) https://gitlab.${SECRET_DOMAIN} | string |
rbac.create (5) true | boolean |
| boolean | |
rbac.rules[].apiGroups[] (1) - | string |
rbac.rules[].resources[] (1) - pods | string |
rbac.rules[].verbs[] (1) - get | string |
| number | |
| string | |
runners.config (3) [[runners]]
executor = "kubernetes"
# Keep job intake single-file so disk-heavy CI cannot pile onto the
# same NVMe/OSD and amplify Ceph/etcd latency or SMART temperature.
limit = 1
request_concurrency = 1
cache_dir = "/cache"
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
ServerAddress = "rook-ceph-rgw-gitlab-rgw.rook-ceph.svc:80"
BucketName = "gitlab-runner-cache"
BucketLocation = "us-east-1"
Insecure = true
# FF_* flags keep Kubernetes executor behavior safer and more
# diagnosable: entrypoint parity, pod event logging, token-free Git
# URLs, stricter Bash exit handling, script log sections, failed-cache
# cleanup, and predictable TLS-chain behavior.
# DOCKER_CONFIG: defense-in-depth default for Kaniko/Buildah jobs.
# The build pod runs as uid 1000 (PSS=restricted), but the kaniko
# image's /kaniko directory is root-owned 0755 — so writing Docker
# auth to the default /kaniko/.docker/config.json fails with
# `Permission denied` in step_script. /tmp is mounted as a
# writable emptyDir on every build pod, and kaniko's executor
# honors $DOCKER_CONFIG ahead of its /kaniko/.docker default.
environment = [
"FF_USE_FASTZIP=true",
"DOCKER_CONFIG=/tmp/.docker",
"FF_KUBERNETES_HONOR_ENTRYPOINT=true",
"FF_PRINT_POD_EVENTS=true",
"FF_GIT_URLS_WITHOUT_TOKENS=true",
"FF_ENABLE_BASH_EXIT_CODE_CHECK=true",
"FF_USE_NEW_BASH_EVAL_STRATEGY=true",
"FF_SCRIPT_SECTIONS=true",
"FF_CLEAN_UP_FAILED_CACHE_EXTRACT=true",
"FF_RESOLVE_FULL_TLS_CHAIN=false",
]
[runners.kubernetes]
namespace = "gitlab-runner"
image = "docker.io/library/alpine:3.20"
helper_image = ""
helper_image_flavor = "ubuntu"
# CI job images own their package database and often need root for
# setup (`apk add`, apt, cargo toolchain installs). Namespace PSA is
# baseline, and PolicyReports suppress this known CI surface only.
# Runner-set contexts below keep no-priv-esc + dropped caps.
privileged = false
poll_interval = 5
poll_timeout = 600
pod_termination_grace_period_seconds = 30
cleanup_resources_timeout = "10m"
# Cap job pods so bursty compile jobs cannot saturate the same
# NVMe backing Ceph + etcd. Scheduler also gets real requests
# instead of placing unbounded build/helper containers blind.
cpu_request = "500m"
cpu_limit = "1500m"
memory_request = "1Gi"
memory_limit = "4Gi"
ephemeral_storage_request = "2Gi"
ephemeral_storage_limit = "10Gi"
helper_cpu_request = "50m"
helper_cpu_limit = "250m"
helper_memory_request = "128Mi"
helper_memory_limit = "512Mi"
helper_ephemeral_storage_request = "256Mi"
helper_ephemeral_storage_limit = "1Gi"
print_pod_warning_events = true
service_account = "gitlab-runner"
allow_privilege_escalation = false
[runners.kubernetes.affinity]
[runners.kubernetes.affinity.node_affinity]
[runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution]
[[runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution.node_selector_terms]]
[[runners.kubernetes.affinity.node_affinity.required_during_scheduling_ignored_during_execution.node_selector_terms.match_expressions]]
key = "kubernetes.io/hostname"
operator = "NotIn"
values = ["k8s-ghost"]
[runners.kubernetes.pod_security_context]
fs_group = 1000
[runners.kubernetes.pod_security_context.seccomp_profile]
type = "RuntimeDefault"
[runners.kubernetes.build_container_security_context]
allow_privilege_escalation = false
read_only_root_filesystem = false
[runners.kubernetes.build_container_security_context.seccomp_profile]
type = "RuntimeDefault"
[runners.kubernetes.helper_container_security_context]
allow_privilege_escalation = false
read_only_root_filesystem = false
[runners.kubernetes.helper_container_security_context.capabilities]
drop = ["ALL"]
[runners.kubernetes.helper_container_security_context.seccomp_profile]
type = "RuntimeDefault"
# Auto-injected svc-* service containers (e.g. Redis, Postgres
# declared via `services:` in .gitlab-ci.yml) are job-owned images
# like the build container, so don't force a UID; baseline PSA lets
# them start while caps/no-priv-esc still apply.
[runners.kubernetes.service_container_security_context]
allow_privilege_escalation = false
read_only_root_filesystem = false
[runners.kubernetes.service_container_security_context.capabilities]
drop = ["ALL"]
[runners.kubernetes.service_container_security_context.seccomp_profile]
type = "RuntimeDefault"
# init-permissions defaults root; pin a non-root UID so kubelet admits it.
[runners.kubernetes.init_permissions_container_security_context]
allow_privilege_escalation = false
read_only_root_filesystem = true
run_as_non_root = true
run_as_user = 1000
[runners.kubernetes.init_permissions_container_security_context.capabilities]
drop = ["ALL"]
[runners.kubernetes.init_permissions_container_security_context.seccomp_profile]
type = "RuntimeDefault"
[[runners.kubernetes.volumes.empty_dir]]
name = "build-tmp"
mount_path = "/builds"
medium = ""
mount_propagation = "None"
[[runners.kubernetes.volumes.empty_dir]]
name = "tmp"
mount_path = "/tmp"
medium = ""
mount_propagation = "None"
[[runners.kubernetes.volumes.empty_dir]]
name = "cache"
mount_path = "/cache"
medium = ""
mount_propagation = "None"
[[runners.kubernetes.volumes.secret]]
name = "buildkit-client-certs"
mount_path = "/certs"
read_only = true
| string |
runners.secret (3) gitlab-runner-secret | string |
| string | |
runners.cache.secretName (1) gitlab-runner-cache-credentials | string |
runners.env.DOCKER_HOST (1) tcp://docker:2375 | string |
| string | |
runners.executor (1) kubernetes | string |
runners.imagePullPolicy (1) if-not-present | string |
runners.name (1) BB-8 | string |
runners.namespace (1) default | string |
| boolean | |
imagePullSecrets[].name (2) gitlab-registry-auth | string |
logLevel (2) info | string |
| boolean | |
| boolean | |
| number | |
| string | |
| string | |
| string | |
| string | |
| string | |
| boolean | |
| boolean | |
| number | |
extraEnv.HOME (1) /home/gitlab-runner | string |
fullnameOverride (1) gitlab-runner | string |
imagePullPolicy (1) IfNotPresent | string |
logFormat (1) json | string |
| string | |
| string | |
| number | |
podSecurityContext.fsGroupChangePolicy (1) OnRootMismatch | string |
| boolean | |
| number | |
secrets[].name (1) gitlab-runner-token | string |
| boolean | |
| string | |
| boolean | |
| boolean | |
securityContext.seccompProfile.type (1) RuntimeDefault | string |
sentryDsn (1) ${SENTRY_DSN_LEGACY} | string |
| boolean | |
serviceAccount.imagePullSecrets[] (1) - gitlab-registry-auth | string |
serviceAccount.name (1) gitlab-runner | string |
| number | |
| number | |
strategy.type (1) RollingUpdate | string |
| string | |
| string | |
| string |