Bug / Help: Gitlab Runner with privileged = True

Summary

Unable to run DinD with a gitlab-runner installed in Kubernetes cluster using Helm.

Steps to reproduce

  1. Install gitlab-runner using Helm as describe in gitlab documentation and using this variables file :
runner-value.yml
image:
  registry: registry.gitlab.com
  image: gitlab-org/gitlab-runner
useTini: false
imagePullPolicy: IfNotPresent
imagePullSecrets:
  - name: "registry-domain-tld"
replicas: 3
gitlabUrl: https://gitlab.domain.tld
unregisterRunners: true
terminationGracePeriodSeconds: 3600
concurrent: 10
shutdown_timeout: 0
checkInterval: 30
sessionServer:
  enabled: false
rbac:
  create: true
  generatedServiceAccountName: ""
  rules: []
  clusterWideAccess: false
  podSecurityPolicy:
    enabled: false
    resourceNames:
    - gitlab-runner
metrics:
  enabled: false
  portName: metrics
  port: 9252
  serviceMonitor:
    enabled: false
service:
  enabled: false
  type: ClusterIP

runners:
  config: |
   [[runners]]
      environment = [
        "DOCKER_HOST=tcp://docker:2376",
        "DOCKER_TLS_CERTDIR=/certs",
        "DOCKER_TLS_VERIFY=1",
        "DOCKER_CERT_PATH=$DOCKER_TLS_CERTDIR/client"
      ]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "docker:24.0.5"
        privileged = true
        [[runners.kubernetes.volumes.empty_dir]]
          name = "certs"
          mount_path = "/certs/client"
          medium = "Memory"
  configPath: ""
  runUntagged: false
  secret: gitlab-runner-secret
  cache: {}

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  privileged: false
  capabilities:
    drop: ["ALL"]


strategy: {}
podSecurityContext:
  runAsUser: 100
  # runAsGroup: 65533
  fsGroup: 65533
  # supplementalGroups: [65533]

  ## Note: values for the ubuntu image:
  # runAsUser: 999
  # fsGroup: 999

resources: {}
affinity: {}
topologySpreadConstraints: {}

nodeSelector: {}
tolerations: []
extraEnv: {}
extraEnvFrom: {}
hostAliases: []
deploymentAnnotations: {}
deploymentLabels: {}
podAnnotations: {}
podLabels: {}
priorityClassName: ""
secrets: []
configMaps: {}
volumeMounts: []
volumes: []
extraObjects: []
  1. Define following CI
.gitlab-ci.yml
image: docker:latest

services:
  - docker:dind

stages:
  - build

variables:
  DOCKER_HOST: tcp://docker:2375
  DOCKER_DRIVER: overlay2

before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD registry.domain.tld

build:
  stage: build
  script:
    - docker build -t registry.domain.tld/sh-mkdocs-internal:${CI_COMMIT_SHA} .
    - docker push registry.domain.tld/sh-mkdocs-internal:${CI_COMMIT_SHA}
  only:
    - main

Actual behavior

From the moment I set privileged = true in my gitlab runner configuration. I get the following error Job failed (system failure): prepare environment: setting up build pod: pods "runner-gzqkoupss-project-6-concurrent-0-gh6wuuqx" is forbidden: violates PodSecurity "baseline:latest": privileged (containers "init-permissions", "build", "helper", "svc-0" must not set securityContext.privileged=true). Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

What I'm doing wrong ?

Expected behavior

Run a pods to realize the job

Relevant logs and/or screenshots

job log
Running with gitlab-runner 16.10.0 (81ab07f6)
  on gitlab-runner-5b87f48bc-vllzf gzQKoUpss, system ID: r_qi8Sayr4e1JL
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: gitlab-runner
Using Kubernetes executor with image docker:latest ...
Using attach strategy to execute scripts...
Preparing environment
00:00
Using FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s...
ERROR: Error cleaning up pod: resource name may not be empty
ERROR: Job failed (system failure): prepare environment: setting up build pod: pods "runner-gzqkoupss-project-6-concurrent-0-gh6wuuqx" is forbidden: violates PodSecurity "baseline:latest": privileged (containers "init-permissions", "build", "helper", "svc-0" must not set securityContext.privileged=true). Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

Environment description

I'm trying this into a self-hosted gitlab, that doesn't run in Kubernetes and on a single instance.

The runners has been installed in a kubernetes cluster that have access to the self-hosted gitlab. All runners has been deployed using a single token and are shared runners.

config.toml contents
   [[runners]]
      environment = [
        "DOCKER_HOST=tcp://docker:2376",
        "DOCKER_TLS_CERTDIR=/certs",
        "DOCKER_TLS_VERIFY=1",
        "DOCKER_CERT_PATH=$DOCKER_TLS_CERTDIR/client"
      ]
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "docker:24.0.5"
        privileged = true
        [[runners.kubernetes.volumes.empty_dir]]
          name = "certs"
          mount_path = "/certs/client"
          medium = "Memory"

Used GitLab Runner version

Used gitlab-runner --version into a pod

gitlab-runner-5b87f48bc-558bl:/$ gitlab-runner --version
Version:      16.10.0
Git revision: 81ab07f6
Git branch:   16-10-stable
GO version:   go1.21.7
Built:        2024-03-21T19:43:25+0000
OS/Arch:      linux/amd64

-->

Edited by Raphaël "Zerka" H.