Gitlab runner and child namespaces; operation not permitted

Where can I find more information about the permissions of the gitlab runner and limitations of the target user?

I’d like my runner to be able to init child namespaces via unshare, however, this functionality appears to be disabled.

My user, rootrunner, is in sudoers with passwordless sudo. When I su to this user and run unshare to create a child namespace on the host, it works as expected:

[rootrunner] $ unshare --user --mount /bin/true

However, when the user rootrunner executes the exact command via gitlab runner CI, the pipeline fails with:

$ unshare --user --mount /bin/true
unshare: unshare failed: Operation not permitted