Adding container security features on pods generated by a kubernetes gitlab runner?

icsy7867 · July 31, 2024, 9:59pm

Problem to solve

I am testing deploying a gitlab runner to a hardened kubernetes cluster. I am trying to use the pod_spec, but the containers being created still arent being allowed. So I am trying to figure out what is wrong with my YAML.

Steps to reproduce

Follow the documentation, add values under "container: " but they dont seem to make it to the pod.

Configuration

Currently, I have the default CI/CD file that is just running echo. Currently I am just trying to get past the container runner.

Versions

Please select whether options apply, and add the version information.

[ X ] Self-managed
GitLab.com SaaS
[ X ] Self-hosted Runners

Versions
-Runner is the latest via a helm chart. I will check on the gitlab self hosted version. It is usually kept very up to date.

Helpful resources

My YAML section for the runner:

runners:
    secret: gitlab-runner-secret
    config: |
        [[runners]]
          name = "gitlab-runner-fips"
          [runners.kubernetes]
            image = "registry.access.redhat.com/ubi9:latest"
            helper_image_flavor = "ubi-fips"
            [[runners.kubernetes.pod_spec]]
              name = "security"
              patch = '''
                containers:
                  securityContext:
                  allowPrivilegeEscalation: false
                  capabilities:
                    drop:
                      - ALL
                  privileged: false
                  runAsNonRoot: true
                  seccompProfile:
                    type: RuntimeDefault
              '''
              patch_type = "merge"

And here is the log/output from the gitlab runner trying to create the pod

ERROR: Job failed (system failure): prepare environment: setting up build pod: pods "runner-icbeh7t1v-project-27524-concurrent-0-6bwxl8qt" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (pod set forbidden securityContext.seLinuxOptions: type "RunTimeDefault"), allowPrivilegeEscalation != false (containers "init-permissions", "build", "helper" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "init-permissions", "build", "helper" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "init-permissions", "build", "helper" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"). Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

enricozammitlon · June 22, 2025, 1:14am

I’m stumbling on the same issue! Do you remember what you did to fix it please?

enricozammitlon · June 22, 2025, 4:27am

For future travellers, this is what ended up working for me:
envVars:
- name: FF_USE_ADVANCED_POD_SPEC_CONFIGURATION
value: “true”
- name: FF_RETRIEVE_POD_WARNING_EVENTS
value: “true”
- name: FF_PRINT_POD_EVENTS
value: “true”
runners:
privileged: true
config: |
[runners.feature_flags]
FF_USE_ADVANCED_POD_SPEC_CONFIGURATION = true

Topic		Replies	Views
[GitLab Runner] Unable to validate against any pod security policy Infrastructure as Code & Cloud Native ci , runner , kubernetes	1	1380	September 15, 2021
Error when run any pipline in gitlab-ci installed in kubernetes caster GitLab CI/CD runner	1	693	September 14, 2020
Gitlab runner doesn`t work in kubernetes cluster GitLab CI/CD ci , runner , kubernetes	0	824	August 4, 2023
Help configuring runner for POC stage GitLab CI/CD	0	875	April 12, 2023
"privileged" flag in Kubernetes runner seems to have stopped working since GitLab upgrade GitLab CI/CD kubernetes	2	2582	November 17, 2023