GKE GitLab Runner Platform

This page provides reference information relating to the DevOps team's Google Kubernetes Engine (GKE) GitLab Runner platform.

Platform Description

The GKE GitLab runner platform provides GKE-hosted GitLab Runner resources for DevOps product's to run CI jobs on.

Platform Status

The GKE GitLab runner platform is live and in use by multiple DevOps product teams.

Contact

Technical queries and support should be directed to the Cloud Team MS Teams channel where members of the Cloud Team will be able to assist.

Issues discovered in the service or new feature requests should be opened as GitLab issues here.

Environments

The GKE GitLab Runner platform is currently deployed to both development and production environments. The GCP console landing page for the environment projects are as follows:

Name	Project landing page
Production	gitlab-runner-prod-22257483
Development	gitlab-runner-devel-72a2b0bc

Source code

Source code for the GKE GitLab Runner platform infrastructure is in the gitlab-runner-infrastructure repository.

Technologies used

The GKE GitLab Runner platform uses the following technologies:

• Google Kubernetes Engine (GKE)
• Google IAM
• GKE Workload Identity
• GitLab Runner with the Kubernetes Executor

Architecture

GKE cluster configuration

The platform requires a GKE cluster. Unfortunately, due to the GitLab Auto-DevOps Build stage's dependency on Docker in Docker, it's not possible to use GKE AutoPilot as it doesn't support privileged containers. Instead, the cluster is provisioned as a Standard GKE cluster with the following notable configuration:

• The cluster is deployed to the gitlab-runner-prod-22257483 Google project.
• It is a zonal cluster configured in the europe-west2-a zone.
• A single, auto-scaling node pool is configured to deploy nodes of machine type n1-standard-2 running the recommended Container-optimised OS with containerd (cos_containerd) image type.
• Workload Identity is enabled.

Per-product configuration

Each product has the following resources created by the Terraform configuration (see the how-to for steps on adding a product to the Terraform deployment).

• A unique Kubernetes namespace for the product's runners.
• A Kubernetes service account (named gke-ci-run) in the product's namespace.
  • This includes IAM bindings for this service account to impersonate other service accounts using Workload Identity.
• A GitLab runner pod deployed using the GitLab runner Helm chart.
• A Kubernetes network policy which blocks ingress for all pods within the namespace and allows egress to any IP on port tcp/443 only. This ensures isolation between different product CI/CD jobs.
• The following CI/CD variables populated with the relevant values.
  • GKE_RUNNER_TAG
  • ARTIFACT_REGISTRY_DOCKER_REPOSITORY
  • ARTIFACT_REGISTRY_SERVICE_ACCOUNT

Service Management and tech lead

The service owner for the GKE GitLab Runner platform is Abraham Martin.

The service manager and tech lead for the GKE GitLab Runner platform is Adam Deacon.

The following engineers have operational experience with the GKE GitLab Runner platform and are able to respond to support requests or incidents:

• Adam Deacon
• Roy Harrington
• Ryan Kowalewski

See also

• How to register GKE-hosted GitLab runners
• How to run CI/CD jobs on a GKE-hosted GitLab runner
• How to access a Google Secret Manager secret using service account impersonation