eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/forgejo-runner/deployment.yaml
Erich Blume 924325ebd5 Fix DinD seccomp profile broken by RuntimeDefault rollout 
The pod-level RuntimeDefault seccomp profile (07e9c81) overrides the
DinD sidecar's privileged flag in newer Kubernetes versions, blocking
Docker daemon syscalls. Set Unconfined explicitly on the DinD container
while keeping RuntimeDefault on the runner container.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 17:09:57 -07:00

101 lines
2.9 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
name: forgejo-runner
namespace: forgejo-runner
labels:
app: forgejo-runner
spec:
replicas: 1
selector:
matchLabels:
app: forgejo-runner
template:
metadata:
labels:
app: forgejo-runner
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
# Forgejo runner daemon
- name: runner
image: code.forgejo.org/forgejo/runner:kustomized
env:
- name: TZ
value: America/Los_Angeles
- name: DOCKER_HOST
value: tcp://localhost:2375
- name: FORGEJO_URL
value: "https://forge.ops.eblu.me"
- name: RUNNER_NAME
value: "k8s-runner"
- name: RUNNER_LABELS
value: "k8s:docker://registry.ops.eblu.me/blumeops/runner-job-image:v0.20.1-24f7512"
command:
- /bin/sh
- -c
- |
# Wait for DinD to be ready
echo "Waiting for Docker daemon..."
while ! wget -q -O /dev/null http://localhost:2375/_ping 2>/dev/null; do
sleep 1
done
echo "Docker daemon ready"
# Register if not already registered
if [ ! -f /data/.runner ]; then
echo "Registering runner..."
forgejo-runner register \
--instance "$FORGEJO_URL" \
--token "$RUNNER_TOKEN" \
--name "$RUNNER_NAME" \
--labels "$RUNNER_LABELS" \
--no-interactive
fi
# Start daemon
exec forgejo-runner daemon --config /config/config.yaml
envFrom:
- secretRef:
name: forgejo-runner-env
volumeMounts:
- name: data
mountPath: /data
- name: config
mountPath: /config
- name: zoneinfo
mountPath: /usr/share/zoneinfo
readOnly: true
# Docker-in-Docker sidecar
- name: dind
image: docker:kustomized
securityContext:
privileged: true
seccompProfile:
type: Unconfined
env:
- name: DOCKER_TLS_CERTDIR
value: ""
volumeMounts:
- name: dind-storage
mountPath: /var/lib/docker
- name: config
mountPath: /etc/docker/daemon.json
subPath: daemon.json
readOnly: true
volumes:
- name: data
emptyDir: {}
- name: dind-storage
emptyDir: {}
- name: config
configMap:
name: forgejo-runner-config
- name: zoneinfo
hostPath:
path: /usr/share/zoneinfo
type: Directory
Reference in a new issue View git blame Copy permalink