Skip to content

Gitlab Runner on OCP

A quick and dirty guide for making the Gitlab Runner work on OCP. This is probably not what you want for you prodcution environment...

Step 1 | Setup namespace and RBAC

oc new-project gitlab-runner
oc apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec", "pods/log", "secrets"]
  verbs: ["list", "get", "watch", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
subjects:
- kind: ServiceAccount
  name: gitlab-runner
  namespace: gitlab-runner
roleRef:
  kind: Role
  name: gitlab-runner
  apiGroup: rbac.authorization.k8s.io
EOF

Step 2 | Create secrets

Note

REPLACE YOUR TOKEN!

oc create secret generic gitlab-runner-secret \
    --from-literal=runner-registration-token=YOUR_REGISTRATION_TOKEN \
    -n gitlab-runner

Step 3 | Apply SCCs

oc adm policy add-scc-to-user anyuid -z gitlab-runner -n gitlab-runner
oc adm policy add-scc-to-user privileged -z gitlab-runner -n gitlab-runner

Step 4 | Deploy runner

Note

REPLACE YOUR TOKEN!

oc apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitlab-runner
  namespace: gitlab-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitlab-runner
  template:
    metadata:
      labels:
        app: gitlab-runner
    spec:
      serviceAccountName: gitlab-runner
      securityContext:
        runAsUser: 0
        fsGroup: 0
      containers:
      - name: gitlab-runner
        image: gitlab/gitlab-runner:latest
        command:
        - /bin/bash
        - -c
        - |
          mkdir -p /etc/gitlab-runner
          cat > /etc/gitlab-runner/config.toml << 'EOF'
          concurrent = 10
          check_interval = 0
          [session_server]
            session_timeout = 1800
          [[runners]]
            name = "openshift-runner"
            url = "https://gitlab.example.com"
            token = "YOUR_REGISTRATION_TOKEN"
            executor = "kubernetes"
            [runners.kubernetes]
              namespace = "gitlab-runner"
              image = "alpine:latest"
              privileged = true
          EOF
          exec gitlab-runner run
        securityContext:
          runAsUser: 0
          allowPrivilegeEscalation: true
        volumeMounts:
        - name: config
          mountPath: /etc/gitlab-runner
      volumes:
      - name: config
        emptyDir: {}
EOF