GKE GitLab Runner Platform¶
This page provides reference information relating to the DevOps team's Google Kubernetes Engine (GKE) GitLab Runner platform.
The GKE GitLab runner platform provides GKE-hosted GitLab Runner resources for DevOps product's to run CI jobs on.
The GKE GitLab runner platform is live and in use by multiple DevOps product teams.
Technical queries and support should be directed to the Cloud Team MS Teams channel where members of the Cloud Team will be able to assist.
Issues discovered in the service or new feature requests should be opened as GitLab issues here.
The GKE GitLab Runner platform is currently deployed to both
environments. The GCP console landing page for the environment projects are as follows:
|Name||Project landing page|
Source code for the GKE GitLab Runner platform infrastructure is in the gitlab-runner-infrastructure repository.
The GKE GitLab Runner platform uses the following technologies:
- Google Kubernetes Engine (GKE)
- Google IAM
- GKE Workload Identity
- GitLab Runner with the Kubernetes Executor
GKE cluster configuration¶
The platform requires a GKE cluster. Unfortunately, due to the GitLab Auto-DevOps Build stage's dependency on Docker in Docker, it's not possible to use GKE AutoPilot as it doesn't support privileged containers. Instead, the cluster is provisioned as a Standard GKE cluster with the following notable configuration:
- The cluster is deployed to the
- It is a zonal cluster configured in the
- A single, auto-scaling node pool is configured to deploy nodes of machine type
n1-standard-2running the recommended
Container-optimised OS with containerd (cos_containerd)image type.
- Workload Identity is enabled.
Each product has the following resources created by the Terraform configuration (see the how-to for steps on adding a product to the Terraform deployment).
- A unique Kubernetes namespace for the product's runners.
- A Kubernetes service account (named
gke-ci-run) in the product's namespace.
- This includes IAM bindings for this service account to impersonate other service accounts using Workload Identity.
- A GitLab runner pod deployed using the GitLab runner Helm chart.
- A Kubernetes network policy which blocks ingress for all pods within the namespace and allows egress to any IP on port tcp/443 only. This ensures isolation between different product CI/CD jobs.
- The following CI/CD variables populated with the relevant values.
Service Management and tech lead¶
The service owner for the GKE GitLab Runner platform is Abraham Martin.
The service manager and tech lead for the GKE GitLab Runner platform is Adam Deacon.
The following engineers have operational experience with the GKE GitLab Runner platform and are able to respond to support requests or incidents: