packaged by Chainguard
Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.
gitlab-runner-operator is a Kubernetes/OpenShift operator that manages the lifecycle of GitLab Runner instances via the Runner custom resource.
Chainguard Containers are regularly-updated, secure-by-default container images.
For those with access, this container image is available on cgr.dev:
Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.
The Chainguard gitlab-runner-operator-fips image is the FIPS-enabled variant of the gitlab-runner-operator image. It shares the same minimal, distroless design and is a drop-in replacement for the upstream GitLab Runner Operator image, with the following differences:
/usr/bin/manager, which is also the image entrypoint. A relative /manager symlink mirrors the upstream entrypoint path, so existing manifests and Operator Lifecycle Manager (OLM) bundles continue to work unchanged./templates, matching the upstream image layout.Aside from its FIPS and hardening properties, the gitlab-runner-operator-fips image is operated in exactly the same way as the standard gitlab-runner-operator image. It manages GitLab Runner instances through the Runner custom resource and is typically installed through OLM or the upstream config/ manifests; there is no official Helm chart.
The gitlab-runner-operator-fips Chainguard Image ships with a validated redistribution of the OpenSSL's FIPS provider module. For more on FIPS support in Chainguard Images, consult the guide on FIPS-enabled Chainguard Images on Chainguard Academy
To follow the examples in this section, you need the following:
kubectl client configured to reach it.The gitlab-runner-operator-fips image is designed to run inside a Kubernetes or OpenShift cluster, where it watches for Runner resources and reconciles them into running GitLab Runner instances.
Begin by registering the Runner custom resource definition (CRD) that the operator reconciles. The following command applies the CRD from the operator's upstream repository:
Next, define a namespace, a service account, and a deployment that runs the operator. The following command writes these resources to a file:
Apply the manifest to your cluster:
Once the deployment is available, confirm that the operator has started and is reconciling resources by checking its logs:
With the operator running, you can register a runner. The following command creates a secret that holds the GitLab registration token, along with a Runner resource that references it:
Apply the runner definition:
The operator renders the runner configuration into a ConfigMap named after the Runner resource, then deploys a GitLab Runner instance that registers with the GitLab URL you provided.
The gitlab-runner-operator-fips image uses the same configuration interface as the upstream operator, which is driven through command-line flags and environment variables on the manager container.
As an example, the deployment above disables the admission webhooks by setting the ENABLE_WEBHOOKS environment variable to "false". The webhooks validate Runner resources but require TLS certificates to be provisioned in the cluster, so disabling them is a convenient way to evaluate the operator before you configure certificate management. In a production cluster where certificates are available, omit this variable to benefit from webhook validation.
Because this image is built with STIG hardening enforced, you should run it on cluster nodes whose configuration also satisfies your hardening baseline; the image hardening complements, but does not replace, node-level controls.
For the full set of supported flags, environment variables, and Runner fields, refer to the upstream GitLab Runner Operator documentation.
Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.
All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.
The main features of Chainguard Containers include:
For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.
In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.
Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.
To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.
To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.
Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.
This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.
Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:
Apache-2.0
GCC-exception-3.1
GPL-3.0-or-later
LGPL-2.1-or-later
MIT
MPL-2.0
NIST-PD
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementChainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.
SLSA compliance at ChainguardThis image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.
PCI DSS at ChainguardThis is a FIPS validated image for FedRAMP compliance.
This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.
Learn more about STIGsGet started with STIGs