Gitlab Runner 14+ causing 403 Forbidden

Adam-R · December 14, 2023, 8:46pm

I’m trying to upgrade current Gitlab Runner v13.12.0 but anything newer has problems with pulling images to GKE via helm as Back-off pulling image "registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v15.11.0" but when I do Rolling Update to GKE will deploy but then Gitlab Runner fails with error:

ARNING: Failed to pull image with policy "": image pull failed: rpc error: code = Unknown desc = failed to pull and unpack image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-436955cb": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry.gitlab.com/v2/gitlab-org/gitlab-runner/gitlab-runner-helper/blobs/sha256:dfebf217e55d1149dc06181e67f12869a1851668b2a3b2186eeb638f01a5ab36: 403 Forbidden
 

ERROR: Job failed: prepare environment: waiting for pod running: pulling image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-436955cb": image pull failed: rpc error: code = Unknown desc = failed to pull and unpack image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-436955cb": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry.gitlab.com/v2/gitlab-org/gitlab-runner/gitlab-runner-helper/blobs/sha256:dfebf217e55d1149dc06181e67f12869a1851668b2a3b2186eeb638f01a5ab36: 403 Forbidden. Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Any thoughts?

aljaxus · December 15, 2023, 7:44am

The image you’re trying to deploy does not exist in the registry anymore. OR better said - the layer of gitlab-runner-helper does not exist anymore. Try using another (newer) version of the image.

Actually… since it’s gitlab-runner-helper image, I assume this is not a base image of gitlab-runner image… So try using a newer version of the chart. The currently latest one (as of 15.12.2023) is 0.59.2.
i’ve looked at the helm chart source, and there’s no mention of gitlab-runner-helper, so I can only assume the k8s manifests that are deployed for each job are present in the gitlab-runner source, not in the helm chart.

Adam-R · December 15, 2023, 1:37pm

Correct - it comes from gitlab-runner image.

On another hand for

 Back-off pulling image "registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v15.11.0

it shows is on the repo list:

NAME                	CHART VERSION	APP VERSION	DESCRIPTION
gitlab/gitlab-runner	0.59.2       	16.6.1     	GitLab Runner
gitlab/gitlab-runner	0.59.1       	16.6.0     	GitLab Runner
gitlab/gitlab-runner	0.59.0       	16.6.0     	GitLab Runner
gitlab/gitlab-runner	0.58.2       	16.5.0     	GitLab Runner
gitlab/gitlab-runner	0.58.1       	16.5.0     	GitLab Runner
gitlab/gitlab-runner	0.58.0       	16.5.0     	GitLab Runner
gitlab/gitlab-runner	0.57.2       	16.4.2     	GitLab Runner
gitlab/gitlab-runner	0.57.1       	16.4.1     	GitLab Runner
gitlab/gitlab-runner	0.57.0       	16.4.0     	GitLab Runner
gitlab/gitlab-runner	0.56.3       	16.3.3     	GitLab Runner
gitlab/gitlab-runner	0.56.2       	16.3.2     	GitLab Runner
gitlab/gitlab-runner	0.56.1       	16.3.1     	GitLab Runner
gitlab/gitlab-runner	0.56.0       	16.3.0     	GitLab Runner
gitlab/gitlab-runner	0.55.3       	16.2.3     	GitLab Runner
gitlab/gitlab-runner	0.55.2       	16.2.2     	GitLab Runner
gitlab/gitlab-runner	0.55.1       	16.2.1     	GitLab Runner
gitlab/gitlab-runner	0.55.0       	16.2.0     	GitLab Runner
gitlab/gitlab-runner	0.54.1       	16.1.1     	GitLab Runner
gitlab/gitlab-runner	0.54.0       	16.1.0     	GitLab Runner
gitlab/gitlab-runner	0.53.3       	16.0.3     	GitLab Runner
gitlab/gitlab-runner	0.53.2       	16.0.2     	GitLab Runner
gitlab/gitlab-runner	0.53.1       	16.0.1     	GitLab Runner
gitlab/gitlab-runner	0.53.0       	16.0.0     	GitLab Runner
gitlab/gitlab-runner	0.52.1       	15.11.1    	GitLab Runner
gitlab/gitlab-runner	0.52.0       	15.11.0    	GitLab Runner

so why is not getting pulled?

aljaxus · December 15, 2023, 2:29pm

the repo list you posted is for the helm chart repo. The issue you’re having is with the container. So the container registry would be the right place to look at.

Is there a possibility that your cluster has connectivity issues? Are you using a “private” GKE cluster? Autopilot? Created via TF or via Google console or gcloud CLI? If private, which setup did you use for accessing the internet (and in turn registry.gitlab.com) - cloudrouter / VM with opnsense / VM with iptables DNAT setup / etc…? Are you using VPCs?

Can you try starting a gitlab-runner container by just applying a k8s manifest via kubectl? If yes, can you do the same with the gitlab-runner-helper container? If both work you’ve ruled out the networking issue and there’s something else.

Keep us posted.

vitorfox · January 17, 2024, 11:08pm

I had a similar issue trying to pull http://registry.gitlab.com/gitlab-org/gitlab-runner:alpine-v16.6.2 image. My VPN IP id being blocked to access registry.gitlab.com. After adding some rules on my router to not use VPN for registry.gitlab.com, I started getting the error for a specific layer. It turns out that under the hood the layer was being downloaded from cdn.registry.gitlab-static.net. I just added this hostname as well, and the issues was gone.

Topic		Replies	Views
Gitlab runner helm chart not found (error 404) GitLab CI/CD	3	1149	March 3, 2022
Intermittent 403 errors on registry.gitlab.com GitLab CI/CD ci , runner , registry , saas	2	2211	September 27, 2022
Intermittent runner launch issues GitLab CI/CD runner , kubernetes	0	858	December 10, 2021
Install-runner error when upgrading: current Tiller version is newer, use --force-upgrade to downgrade Infrastructure as Code & Cloud Native ci , runner , kubernetes	0	857	April 18, 2019
GitLab Runner unable to pull private image on EKS GitLab CI/CD docker , eks	1	3267	June 4, 2019

Gitlab Runner 14+ causing 403 Forbidden

Related topics