Chapter 3. Configuring self-hosted GitLab runner requirements

Procedure

1. If you use self-hosted runners on OpenShift, set the required security context for the GitLab runners by applying a custom Security Context Constraint (SCC).

   1. Create a YAML file, for example gitlab-ci-scc.yml, with the following sample content.

      apiVersion: security.openshift.io/v1
      kind: SecurityContextConstraints
      metadata:
        name: gitlab-ci-sa-scc
        namespace: gitlab-runner
      allowHostPorts: false
      allowPrivilegeEscalation: true
      allowPrivilegedContainer: true
      allowedCapabilities:
        - SETFCAP
        - MKNOD
      defaultAddCapabilities: null
      fsGroup:
        type: RunAsAny
      priority: 5
      readOnlyRootFilesystem: false
      requiredDropCapabilities:
        - KILL
      runAsUser:
        type: MustRunAs
        uid: 0
      seLinuxContext:
        type: RunAsAny
      supplementalGroups:
        type: RunAsAny
      users:
        - system:serviceaccount:gitlab-runner:gitlab-ci-sa
      volumes:
        - configMap
        - downwardAPI
        - emptyDir
        - persistentVolumeClaim
        - projected
        - secret

      Copy to Clipboard Toggle word wrap
      Note

      This manifest is a sample. You might need to adjust settings, such as the namespace in the users field, for your environment.

   2. Apply the manifest to your cluster.

      $ oc apply -f gitlab-ci-sa-scc.yml

      Copy to Clipboard Toggle word wrap
2. If you use a self-hosted GitLab instance, increase the maximum artifact size to prevent pipeline failures. The default 100 MB limit is often insufficient. Increase the limit to at least 1 GB (1024 MB) by following the official GitLab documentation.