DinD not working in Kubernetes Runners
I am trying to run DinD, in a Kubernetes runner running inside a GKE cluster, but I am getting the below error, tried to set the privileged: true
but with no luck,
.gitlab-ci.yml
variables:
IMAGE_URI: $REGISTRY_URI/$GCP_PROJECT_ID/$REPO_NAME-$CI_COMMIT_SHORT_SHA/ama:latest
DOCKER_HOST: tcp://docker:2375
SERVICE_NAME: "ama"
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
KUBERNETES_PRIVILEGED: "true"
services:
- name: docker:dind #'docker:20.10.12-dind'
include:
- template: Secret-Detection.gitlab-ci.yml
- template: Jobs/Build.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
stages:
- build
- test
- deploy
.container_scanning:
variables:
CS_REGISTRY_USER: _json_key
CS_REGISTRY_PASSWORD: "$GCP_SERVICE_ACCOUNT_ARTIFACT"
CS_IMAGE: gcr.io/$GCP_PROJECT_ID/$REPO_NAME-$CI_COMMIT_SHORT_SHA/ama:latest
build-model-container:
stage: build
#tags: [saas-linux-large-amd64]
image: google/cloud-sdk:alpine #google/cloud-sdk
before_script:
# - export GOOGLE_APPLICATION_CREDENTIALS=$GCP_SERVICE_ACCOUNT_ARTIFACT
- gcloud config set project $GCP_PROJECT_ID
# - gcloud auth activate-service-account --key-file=$GCP_SERVICE_ACCOUNT_ARTIFACT
variables:
DEPLOY_CURL_COMMAND: 'curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/'
script:
- 'eval "$DEPLOY_CURL_COMMAND"'
- echo $REPO_NAME-$CI_COMMIT_SHORT_SHA
- docker build ./ -t $IMAGE_URI
rules:
- if: '$CI_COMMIT_BRANCH == "main"'
when: always
tags:
- gkekubernetesrunner
values.yml
## REQUIRED VALUES
gitlabUrl: {{ requiredEnv "CI_SERVER_URL" | quote }}
runnerRegistrationToken: {{ requiredEnv "GITLAB_RUNNER_REGISTRATION_TOKEN" | quote }}
## Configure the maximum number of concurrent jobs
## - Documentation: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
## - Default value: 10
## - Currently don't support auto-scaling.
concurrent: 4
## Defines in seconds how often to check GitLab for a new builds
## - Documentation: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
## - Default value: 3
checkInterval: 3
envVars:
- name: KUBERNETES_SERVICE_ACCOUNT_OVERWRITE_ALLOWED
value: ".*"
- name: KUBERNETES_SERVICE_ACCOUNT
value: "gitlab-cloud-run"
## For RBAC support
rbac:
create: true
clusterWideAccess: false #true
serviceAccountName: gitlab-cloud-run
## Configuration for the Pods that that the runner launches for each new job
runners:
image: "docker:18.09.7" ## "ubuntu:20.04" ##
builds: {}
services: {}
helpers: {}
serviceAccountName: gitlab-cloud-run
## Configure securitycontext for the main container
## ref: http://kubernetes.io/docs/user-guide/security-context/
##
## Specify the tags associated with the runner. Comma-separated list of tags.
## - Documentation: https://docs.gitlab.com/ce/ci/runners/#using-tags
tags: kubernetes,cluster, gkekubernetesrunner ##autopilotrunner
## Run all containers with the privileged flag enabled
## This will allow the docker:dind image to run if you need to run Docker
## commands. Please read the docs before turning this on:
## - Documentation: https://docs.gitlab.com/runner/executors/kubernetes.html#using-docker-dind
privileged: true ## (Set to false to run on GKE Autopilot as privileged mode is not allowed by GKE autopilot)
tls_verify: false
resources: {}
## Configure securitycontext for the main container
## ref: http://kubernetes.io/docs/user-guide/security-context/
##
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: true
privileged: true
capabilities:
drop: ["ALL"]
## Configure securitycontext valid for the whole pod
## ref: http://kubernetes.io/docs/user-guide/security-context/
##
podSecurityContext:
runAsUser: 100
# runAsGroup: 65533
fsGroup: 65533
# supplementalGroups: [65533]
## Note: values for the ubuntu image:
# runAsUser: 999
# fsGroup: 999
Error