K8s runner podman no privilege on gke autopilot

I have a runner successfully installed into gke autopilot:

helm install --create-namespace --namespace gitlab gitlab-runner-01 -f gitlab-runner-values.yaml gitlab/gitlab-runner

I can see jobs create a unique pod of the image defined for my “job”. I am trying to use either dind-rootless or Quay given my CI steps require building, running, and pushing images.

To test podman in gke autopilot, I manually deployed podman with:

apiVersion: v1
kind: Pod
metadata:
  name: no-priv-rootful
  namespace: gitlab
spec:
 containers:
   - name: no-priv-rootful
     image: quay.io/podman/stable
     args:
       - sleep
       - "1000000"
     securityContext:
       capabilities:
         add:
           # - "SYS_ADMIN"
           - AUDIT_WRITE
           - CHOWN
           - DAC_OVERRIDE
           - FOWNER
           - FSETID
           - KILL
           - MKNOD
           - NET_BIND_SERVICE
           - NET_RAW
           - SETFCAP
           - SETGID
           - SETPCAP
           - SETUID
           - SYS_CHROOT
           - SYS_PTRACE
     resources:
       requests:
         memory: "1G"
         cpu: "1000m"

A simple podman login results in this error

echo "base64 key" | podman login -u _json_key_base64  --password-stdin us-central1-docker.pkg.dev
cannot clone: Operation not permitted
Error: cannot re-exec process

Has anyone setup k8s in gke autopilot mode to build and run images from a job?

I’m about to switch to standard cluster to see if - “SYS_ADMIN” is a required capability.

Thanks

I switched from autopilot to a standard cluster, and runners pick up jobs with DIND (nested docker build/run commands).