Skip to content

Support user as integer for Docker/Kubernetes executor_opts

Romuald Atchadé - OOO until Nov 30th, 2025requested to merge
k8s-kubernetes-image-opts-int-and-string into main

What does this MR do?

Support user as an integer (along with the already supported user[:group] string syntax) for image:kubernetes:user, image:docker:user.

Why was this MR needed?

To make the configuration more flexible

What's the best way to test this MR?

The test was done using Gitpod.

  1. Go to https://www.gitpod.io/workspaces, login and create a workspace using https://gitlab.com/gitlab-org/gitlab repository with vscode
  2. Once everything is up and running, open the GitLab instance. The URL is available in the Ports tab of vscode bottom panel and starts with https://3000-gitlaborg-gitlab-HASH.ws-REGION.gitpod.io/
  3. The link must be made public to be accessible by the GitLab Runner Manager

Screenshot_2025-05-21_at_8.42.57_PM

  1. Login on GitLab UI, password initialization will be needed in addition to a new project
  2. Create a GitLab Runner associated to the new project
  3. Create a gitlab-ci.yaml file. The gitlab-ci.yaml will be saved without any validation error
test:
  image: 
    name: alpine
    kubernetes:
      user: 1001
  cache:
    key: "my-key"
    paths:
      - cache_file
  script:
    - echo "User ID $(id -u)"
    - mkdir -p cache_file
    - touch cache_file/test.txt

Screenshot_2025-05-21_at_8.40.48_PM

  1. Run a GitLab Runner Manager using the generated authentication token and the changes in this branch. The following config.toml can be used
listen_address = ":9252"
concurrent = 3
check_interval = 1
# log_level = "debug"
log_format = "runner"
connection_max_age = "15m0s"
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[[runners]]
  pre_get_sources_script = "git config --system --add safe.directory $CI_PROJECT_DIR"
  post_get_sources_script = "git config --local --add safe.directory $CI_PROJECT_DIR"

  name = "investigation"
  limit = 50
  url = "https://3000-gitlaborg-gitlab-HASH.ws-REGION.gitpod.io/"
  id = 0
  token = "glrt-REDACTED"
  token_obtained_at = 2024-09-30T14:38:04.623237Z
  executor = "kubernetes"
  shell = "bash"
  [runners.feature_flags]
    FF_USE_ADVANCED_POD_SPEC_CONFIGURATION = true
    FF_USE_POD_ACTIVE_DEADLINE_SECONDS = true
    FF_PRINT_POD_EVENTS = true
    FF_USE_FASTZIP = true
  [runners.kubernetes]
    host = ""
    bearer_token_overwrite_allowed = false
    image = "alpine"
    namespace = ""
    namespace_overwrite_allowed = ""
    namespace_per_job = false
    privileged = true
    node_selector_overwrite_allowed = ".*"
    node_tolerations_overwrite_allowed = ""
    pod_labels_overwrite_allowed = ""
    service_account_overwrite_allowed = ""
    pull_policy = "always"
    allowed_pull_policies = ["always", "if-not-present", "never"]
    [runners.kubernetes.pod_labels]
    [runners.kubernetes.dns_config]
  1. The job should pass
job log 
Running with gitlab-runner development version (HEAD)
  on investigation REDACTED, system ID: s_b188029b2abb
  feature flags: FF_USE_ADVANCED_POD_SPEC_CONFIGURATION:true, FF_PRINT_POD_EVENTS:true
Preparing the "kubernetes" executor
00:01
WARNING: Namespace is empty, therefore assuming 'default'.
Using Kubernetes namespace: default
Using Kubernetes executor with image alpine ...
Using attach strategy to execute scripts...
Using effective pull policy of [Always] for container build
Using effective pull policy of [Always] for container helper
Using effective pull policy of [Always] for container init-permissions
Preparing environment
00:05
Using FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s...
WARNING: Advanced Pod Spec configuration enabled, merging the provided PodSpec to the generated one. This is a beta feature and is subject to change. Feedback is collected in this issue: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29659 ...
Subscribing to Kubernetes Pod events...
Type     Reason      Message
Normal   Scheduled   Successfully assigned default/runner-REDACTED-project-19-concurrent-0-0qmjep35 to gke-ra-cluster-linux-standard-pool-ce442a20-x5ph
Normal   Pulling   Pulling image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-latest"
Normal   Pulled   Successfully pulled image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-latest" in 382ms (382ms including waiting). Image size: 32935412 bytes.
Normal   Created   Created container: init-permissions
Normal   Started   Started container init-permissions
Normal   Pulling   Pulling image "alpine"
Normal   Pulled   Successfully pulled image "alpine" in 230ms (230ms including waiting). Image size: 3653068 bytes.
Normal   Created   Created container: build
Normal   Started   Started container build
Normal   Pulling   Pulling image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-latest"
Normal   Pulled   Successfully pulled image "registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-latest" in 356ms (356ms including waiting). Image size: 32935412 bytes.
Normal   Created   Created container: helper
Normal   Started   Started container helper
Running on runner-REDACTED-project-19-concurrent-0-0qmjep35 via ratchade--20240612-H2W0T...
Getting source from Git repository
00:02
$ git config --system --add safe.directory $CI_PROJECT_DIR
Fetching changes with git depth set to 20...
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /builds/root/go/.git/
Created fresh repository.
Checking out 820f2254 as detached HEAD (ref is master)...
Skipping Git submodules setup
$ git config --local --add safe.directory $CI_PROJECT_DIR
Restoring cache
00:01
Checking cache for my-key-protected...
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted. 
WARNING: Cache file does not exist                 
Failed to extract cache
Executing "step_script" stage of the job script
00:01
$ echo "User ID $(id -u)"
User ID 1001
$ mkdir -p cache_file
$ touch cache_file/test.txt
Saving cache for successful job
00:01
Creating cache my-key-protected...
cache_file: found 2 matching artifact files and directories 
No URL provided, cache will not be uploaded to shared cache server. Cache will be stored only locally. 
Created cache
Cleaning up project directory and file based variables
00:01
Job succeeded

What are the relevant issue numbers?

Edited by Romuald Atchadé - OOO until Nov 30th, 2025

Merge request reports