Using the GitLab Runner chart

The GitLab Runner subchart provides a GitLab Runner for running CI jobs. It is enabled by default and should work out of the box with support for caching using s3 compatible object storage.


This chart depends on the shared-secrets subchart to populate its registrationToken for automatic registration. If you intend to run this chart as a stand-alone chart with an existing GitLab instance then you will need to manually set the registrationToken in the gitlab-runner secret to be equal to that displayed by the running GitLab instance.


There are no required settings, it should work out of the box if you deploy all of the charts together.

Deploying a stand-alone runner

By default we do infer gitlabUrl, automatically generate a registration token, and generate it through the migrations chart. This behaviour will not work if you intend to deploy it with a running GitLab instance.

In this case you will need to set gitlabUrl value to be the url of the running GitLab instance. You will also need to manually create gitlab-runner secret and fill it with the registrationToken provided by the running GitLab.

Using docker-in-docker

In order to run docker-in-docker, the runner container needs to be privileged to have access to the needed capabilities. To enable it set the privileged value to true. See the upstream documentation in regards to why this is does not default to true.

Security concerns

Privileged containers have extended capabilities, for example they can mount arbitrary files from the host they run on. Make sure to run the container in an isolated environment such that nothing important runs beside it.

Installation command line options

gitlab-runner.imageRunner imagegitlab/gitlab-runner:alpine-v10.5.0
gitlab-runner.installInstall the gitlab-runner charttrue
gitlab-runner.imagePullPolicyImage pull policyIfNotPresent
gitlab-runner.init.image.repositoryinitContainer image 
gitlab-runner.init.image.taginitContainer image tag 
gitlab-runner.pullSecretsSecrets for the image repository 
gitlab-runner.unregisterRunnersUnregister all runners before terminationtrue
gitlab-runner.concurrentNumber of concurrent jobs20
gitlab-runner.checkIntervalPolling interval30s
gitlab-runner.rbac.createWhether to create rbac service accounttrue
gitlab-runner.rbac.clusterWideAccessDeploy containers of jobs cluster-widefalse
gitlab-runner.rbac.serviceAccountNameName of the rbac service account to createdefault
gitlab-runner.runners.imageDefault container image to use in buildsubuntu:16.04
gitlab-runner.runners.privilegedRun in privileged mode, needed for dindfalse
gitlab-runner.runners.namespaceNamespace to run jobs indefault
gitlab-runner.runners.cache.cacheTypeCache types3
gitlab-runner.runners.cache.s3BucketNameName of the bucketrunner-cache
gitlab-runner.runners.cache.cacheSharedShare the cache between runnerstrue
gitlab-runner.runners.cache.s3BucketLocationBucket regionus-east-1
gitlab-runner.runners.cache.secretNameSecret to access key and secretkey fromgitlab-minio
gitlab-runner.runners.cache.s3CachePathPath in the bucketgitlab-runner
gitlab-runner.runners.cache.s3CacheInsecureUse httpfalse
gitlab-runner.runners.builds.cpuLimitBuild container cpu limit 
gitlab-runner.runners.builds.memoryLimitBuild container memory limit 
gitlab-runner.runners.builds.cpuRequestsBuild container requested cpu 
gitlab-runner.runners.builds.memoryRequestsBuild container requested memory 
gitlab-runner.runners.service.cpuLimitService container cpu limit 
gitlab-runner.runners.service.memoryLimitService container memory limit 
gitlab-runner.runners.service.cpuRequestsService container requested cpu 
gitlab-runner.runners.service.memoryRequestsService container requested memory 
gitlab-runner.resources.limits.cpuRunner cpu limit 
gitlab-runner.resources.limits.memoryRunner memory limit 
gitlab-runner.resources.requests.cpuRunner requested cpu 
gitlab-runner.resources.requests.memoryRunner requested memory 

Chart configuration examples


pullSecrets allow you to authenticate to a private registry to pull images for a pod.

Additional details about private registries and their authentication methods can be found in the Kubernetes documentation.

Below is an example use of pullSecrets

image: my.runner.repository
imagePullPolicy: Always
- name: my-secret-name
- name: my-secondary-secret-name