GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab that coordinates the jobs.
The gitlab-runner pod is deployed via a Helm chart into its own dedicated gitlab-runner namespace for improved security and isolation.
Note: If using the autoRegister.enabled=true feature (default when enabling via Big Bang umbrella values), Kyverno is required. A Kyverno policy (sync-gitlab-runner-secret) is used to automatically copy the necessary registration token secret from the gitlab namespace to the gitlab-runner namespace. See the Global Shared Gitlab Runner section for more details.
Gitlab Runner is configured to run as a globally shared runner. Any repository in the gitlab installation will have this runner available for CI/CD pipelines. This runner automatically registers with the gitlab installation upon installation.
This globally shared gitlab-runner pod can be seen in any repository CI/CD Settings page eg: https://code.bigbang.dev/GROUP/PROJECT/-/settings/ci_cd
The runner uses the IronBank RedHat UBI8 image to run jobs.
- Monitoring stack or Prometheus
Setting metrics.enabled to true will expose the gitlab-runner /metrics endpoint to the cluster using port 9252.
If using the monitoring stack with BigBang, it will detect that gitlab-runner is enabled and automatically create a service monitor to scrape the endpoint with Prometheus.
The exposed information includes:
- Runner business logic metrics (e.g., the number of currently running jobs)
- Go-specific process metrics (garbage collection stats, goroutines, memstats, etc.)
- General process metrics (memory usage, CPU usage, file descriptor usage, etc.)
- Build version information
Reference: GitLab Runner monitoring
To verify that the metrics are working, open a browser to your prometheus endpoint (e.g. https://prometheus.bigbang.dev). Under Status, select Targets. You should find monitoring/gitlab-gitlab-runner/0 (if using Big Bang) or the name of your Service Monitor as a target and the State should be UP.
- Monitoring stack is deployed
- ECK stack deployed
- Login to Kibana
- Username: elastic
- Password: obtain with
kubectl get secret logging-ek-es-elastic-user -n logging -o json | jq -r .data.elastic | base64 -d
- Create Index by selecting
Management>Stack Managementfrom the left menu, then clickKibana>Index patterns. In the Create Index patterns enterlogstash-*and clickCreate index pattern. In the the next step, click on the time filed dropdown and select@timestamp. Finally, createCreate index pattern - To use the index, click
Kibana>Discoveryon the side menu. In the KQL entry box, enterkubernetes.labels.release : "gitlab-runner"and press enter.
On a default installation, there will be a single pod loaded in the format gitlab-runner-gitlab-runner-# in the gitlab-runner namespace as shown below.
# Example from gitlab-runner namespace
NAME READY STATUS RESTARTS AGE
gitlab-runner-gitlab-runner-7d48f9cc9c-abcde 1/1 Running 0 42mImportant Note on Namespace and Auto-Registration:
As mentioned in the Application Overview, GitLab Runner resides in its own gitlab-runner namespace, separate from the main GitLab components in the gitlab namespace. This enhances security.
For the runner to automatically register with GitLab (autoRegister.enabled=true), it needs access to the registration token stored in the gitlab-gitlab-runner-secret within the gitlab namespace. Since Kubernetes namespaces provide isolation, direct access is blocked.
Big Bang solves this using a Kyverno ClusterPolicy named sync-gitlab-runner-secret. This policy automatically:
- Detects the
gitlab-runnernamespace. - Clones the
gitlab-gitlab-runner-secretfrom thegitlabnamespace into thegitlab-runnernamespace. - Keeps the cloned secret synchronized with the original.
This ensures the runner in the gitlab-runner namespace can securely obtain the token needed for registration without compromising namespace isolation. Kyverno must be installed and functional for auto-registration to work.
kubernetes.pod_name : "gitlab-runner-gitlab-runner-#"to get logs from a specific # podkubernetes.container_name : "gitlab-runner-gitlab-runner"to get logs from a specific containerkubernetes.labels.release : "gitlab-runner"to get logs from all gitlab runners
By default, Gitlab Runner egress for runner jobs is locked down within its dedicated gitlab-runner namespace. You can dynamically create additional network policies with a values override. For example:
networkPolicies:
additionalPolicies:
# expected use case is to open egress for runner jobs
# This is a dev example policy spec and CIDR 0.0.0.0/0 is unsafe for operational environments
# requests to controlPlane should also be blocked in an operational policy
- name: egress-runner-jobs
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
# Block requests to AWS cloud metadata IP
- 169.254.169.254/32
# Block requests to controlPlane if CIDR not 0.0.0.0/0
- "{{ $.Values.networkPolicies.controlPlaneCidr }}"Note: By default, the Big Bang Gitlab Runner package is configured to pull kubernetes executor images from registry1.dso.mil. Also, the gitlab-runner pod will require egress to the kube-apiserver in order to create pods for CI jobs. The networkPolicy templates handle creation of the necessary policy.
- The gitlab-runner is configured to clone the repository from the gitlab webservice via the "clone_url" setting. This setting typically points to the GitLab instance's external URL or internal service name (e.g.,
gitlab-webservice.gitlab.svc...). The runner also uses this endpoint (or the one specified ingitlabUrl) to register with the GitLab API. - If the GitLab instance (webservice) is behind HTTPS ingress and uses a certificate not trusted by the runner's environment (e.g., a self-signed or private CA), certificate issues can occur during cloning or registration. In such cases, the
certsSecretNamevalue invalues.yamlcan be populated with the name of a secret containing the necessary CA certificate (ca.crt) and optionally client certificates (tls.crt,tls.key). The runner will mount these certificates to establish trust. - Registration Failure: If the runner fails to register (often seen as errors in the runner pod logs about failing to connect or register), and you have
autoRegister.enabled=true, verify the following:- Kyverno is installed and running correctly in the cluster.
- The Kyverno
ClusterPolicynamedsync-gitlab-runner-secretexists and is active. - Check if the
gitlab-gitlab-runner-secrethas been successfully created/synced into thegitlab-runnernamespace (kubectl get secret gitlab-gitlab-runner-secret -n gitlab-runner). If this secret is missing, the runner cannot get the token to register. Investigate Kyverno policy status and logs.