packaged by Chainguard
Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.
gitlab-runner-operator is a Kubernetes/OpenShift operator that manages the lifecycle of GitLab Runner instances via the Runner custom resource.
Chainguard Containers are regularly-updated, secure-by-default container images.
For those with access, this container image is available on cgr.dev:
Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.
The Chainguard gitlab-runner-operator image is a minimal, distroless replacement for the upstream GitLab Runner Operator image, with the following differences:
/usr/bin/manager, which is also the image entrypoint. A relative /manager symlink mirrors the upstream entrypoint path, so existing manifests and Operator Lifecycle Manager (OLM) bundles continue to work unchanged./templates, matching the upstream image layout.The gitlab-runner-operator image manages GitLab Runner instances through the Runner custom resource. It is typically installed through OLM or the upstream config/ manifests; there is no official Helm chart.
To follow the examples in this section, you need the following:
kubectl client configured to reach it.The gitlab-runner-operator image is designed to run inside a Kubernetes or OpenShift cluster, where it watches for Runner resources and reconciles them into running GitLab Runner instances.
Begin by registering the Runner custom resource definition (CRD) that the operator reconciles. The following command applies the CRD from the operator's upstream repository:
Next, define a namespace, a service account, and a deployment that runs the operator. The following command writes these resources to a file:
Apply the manifest to your cluster:
Once the deployment is available, confirm that the operator has started and is reconciling resources by checking its logs:
With the operator running, you can register a runner. The following command creates a secret that holds the GitLab registration token, along with a Runner resource that references it:
Apply the runner definition:
The operator renders the runner configuration into a ConfigMap named after the Runner resource, then deploys a GitLab Runner instance that registers with the GitLab URL you provided.
The gitlab-runner-operator image uses the same configuration interface as the upstream operator, which is driven through command-line flags and environment variables on the manager container.
As an example, the deployment above disables the admission webhooks by setting the ENABLE_WEBHOOKS environment variable to "false". The webhooks validate Runner resources but require TLS certificates to be provisioned in the cluster, so disabling them is a convenient way to evaluate the operator before you configure certificate management. In a production cluster where certificates are available, omit this variable to benefit from webhook validation.
For the full set of supported flags, environment variables, and Runner fields, refer to the upstream GitLab Runner Operator documentation.
Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.
All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.
The main features of Chainguard Containers include:
For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.
In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.
Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.
To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.
To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.
Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.
This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.
Chainguard's container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image:
Apache-2.0
LGPL-2.1-or-later
MIT
MPL-2.0
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementChainguard Containers are SLSA Level 3 compliant with detailed metadata and documentation about how it was built. We generate build provenance and a Software Bill of Materials (SBOM) for each release, with complete visibility into the software supply chain.
SLSA compliance at ChainguardThis image helps reduce time and effort in establishing PCI DSS 4.0 compliance with low-to-no CVEs.
PCI DSS at ChainguardA FIPS validated version of this image is available for FedRAMP compliance. STIG is included with FIPS image.