Using "proc-mounts = unmasked" makes jobs to fail with kubernetes executor (#39399) · Issues · GitLab.org / gitlab-runner

Using "proc-mounts = unmasked" makes jobs to fail with kubernetes executor

## Summary When you configure a runner using `proc-mounts = unmasked` jobs are failing with the following error: ```text ERROR: Error cleaning up pod: resource name may not be empty ERROR: Job failed (system failure): prepare environment: setting up build pod: Pod "runner-wgkrzldjq-project-81637178-concurrent-0-wxe450bm" is invalid: spec.containers[0].securityContext.procMount: Invalid value: "Unmasked": `hostUsers` must be false to use `Unmasked`. Check https://docs.gitlab.com/runner/shells/#shell-profile-loading for more information ``` ## Steps to reproduce 1. Create an register a runner (Kubernetes executor) with `proc-mounts = unmasked` 2. Try to run pipelines using this runner <details> <summary> .gitlab-ci.yml </summary> ```yml test: script: - | if mount | grep 'proc on /proc' | grep -q 'ro,' then echo '[masked] masked /proc paths found, some paths have ro mount overwrites' exit 1 fi echo '[unmasked] /proc is unmasked, no ro mount overwrites' echo OK ``` </details> ## Actual behavior Jobs are failing with: ```text ERROR: Error cleaning up pod: resource name may not be empty ERROR: Job failed (system failure): prepare environment: setting up build pod: Pod "runner-wgkrzldjq-project-81637178-concurrent-0-wxe450bm" is invalid: spec.containers[0].securityContext.procMount: Invalid value: "Unmasked": `hostUsers` must be false to use `Unmasked`. Check https://docs.gitlab.com/runner/shells/#shell-profile-loading for more information ``` ## Expected behavior ProcMounts should be unmasked and job should pass. <details> <summary> job log </summary> ```sh Running with gitlab-runner 18.11.1 (5265d41d) on Personal Gitlab Runner (small) wGKRzLdJQ, system ID: r_VdpUDLaoyrLt Preparing the "kubernetes" executor 00:00 Using default image Using Kubernetes namespace: gitlab-runner Using Kubernetes executor with image ubuntu:24.04 ... Using attach strategy to execute scripts... Using effective pull policy of [] for container helper Using effective pull policy of [] for container init-permissions Using effective pull policy of [] for container build Preparing environment 00:00 Using FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s... ERROR: Error cleaning up pod: resource name may not be empty ERROR: Job failed (system failure): prepare environment: setting up build pod: Pod "runner-wgkrzldjq-project-81637178-concurrent-0-fvo940j8" is invalid: spec.containers[0].securityContext.procMount: Invalid value: "Unmasked": `hostUsers` must be false to use `Unmasked`. Check https://docs.gitlab.com/runner/shells/#shell-profile-loading for more information ``` </details> ## Environment description   <details> <summary> config.toml contents </summary> ```toml [[runners]] name = "Personal Gitlab Runner (small)" url = "https://gitlab.com/" executor = "kubernetes" builds_dir = "/builds" cache_dir = "/cache" [runners.kubernetes] image = "ubuntu:24.04" namespace = "gitlab-runner" [runners.kubernetes.build_container_security_context] proc_mount = "unmasked" [runners.kubernetes.volumes] [[runners.kubernetes.volumes.empty_dir]] name = "cache" mount_path = "/cache" [[runners.kubernetes.volumes.empty_dir]] name = "builds" mount_path = "/builds" ``` </details> ### Used GitLab Runner version ``` Version: 18.11.1 Git revision: 5265d41d Git branch: 18-11-stable GO version: go1.25.7 X:cacheprog Built: 2026-04-20T14:49:28Z OS/Arch: linux/amd64 ``` ## Workaround Overwrite generated build pod specifications in order to define `spec.hostUsers` as `false`: https://docs.gitlab.com/runner/executors/kubernetes/#user-namespaces ## Related issues and MRs - gitlab-org/gitlab-runner#29533+ - gitlab-org/gitlab-runner!3546+ - gitlab-org/gitlab-runner#29633+ - gitlab-org/gitlab-runner!6557+ - cfe85aea ([k8s] Adapt ProcMount tests)

issue