Orchestrating Scalable CI/CD Pipelines via GitLab Runner on Kubernetes

The transition from legacy virtualization models to container orchestration represents a fundamental shift in how large-scale scientific and engineering organizations manage continuous integration and continuous delivery (CI/CD) workloads. For massive entities like CERN, the requirement for high-availability runner infrastructure is not merely a matter of convenience but a prerequisite for global research productivity. A GitLab Runner serves as the specialized application responsible for executing the specific jobs defined within a GitLab CI/CD pipeline. Historically, many organizations relied on fixed-capacity Docker runners operating within OpenStack virtual machines, often utilizing the docker machine utility. However, the deprecation of docker machine by Docker forced a strategic pivot. As user bases expand—as seen with the growth of licensed users at CERN—the demand for concurrent pipelines scales exponentially, rendering static virtual machine pools insufficient. The adoption of Kubernetes as the underlying execution engine for GitLab Runners provides a robust, elastic, and highly available infrastructure capable of meeting the diverse needs of physicists, machine learning developers, hardware designers, and software engineers.

The Architectural Evolution from Docker Machine to Kubernetes Executors

The shift from legacy infrastructure to Kubernetes-based runners addresses several critical technical debt issues and scalability bottlenecks. In the older paradigm, relying on docker machine and OpenStack VMs created a rigid environment where scaling was slow and resource allocation was often inefficient. Because docker machine was deprecated, maintaining such a system required specialized forks, increasing the operational overhead and security risks for the organization.

By moving to the Kubernetes executor, the infrastructure gains several transformative properties:

  • Reliability through orchestration: Kubernetes manages the lifecycle of the runner pods, ensuring that if a node fails, the workload can be rescheduled.
  • Elastic scalability: Unlike fixed VM pools, Kubernetes allows for the rapid provisioning of resources based on real-time demand.
  • Availability: The distributed nature of Kubernetes clusters ensures that the CI/CD service remains available even during localized hardware failures.

This transition allows organizations to move away from a "one size fits all" approach toward a more granular, specialized deployment model. For instance, the ability to decouple clusters means that deployment, testing, and maintenance of the runner infrastructure can occur with much higher velocity and lower risk of global service interruption.

Deployment via the Official GitLab Runner Helm Chart

The most authoritative and efficient method for deploying GitLab Runner into a Kubernetes cluster is through the use of the official Helm chart. This method ensures that the runner is correctly configured to utilize the Kubernetes executor, which is the mechanism that provisions a new, dedicated pod within a specified namespace for every individual CI/CD job. This "pod-per-job" model ensures complete isolation between different pipeline runs, preventing cross-job interference and enhancing security.

Deployment Prerequisites and Tiers

Before initiating a deployment, administrators must identify their specific GitLab tier and environment. The availability of the Helm chart is standardized across various GitLab offerings.

Offering Supported Tiers Deployment Method
GitLab.com Free, Premium, Ultimate Helm Chart
GitLab Self-Managed Free, Premium, Ultimate Helm Chart
GitLab Dedicated Free, Premium, Ultimate Helm Chart

To successfully execute a deployment, the following technical prerequisites must be met:

  • A functional Kubernetes cluster must be reachable.
  • The Helm client must be installed locally on the administrator's workstation.
  • A properly formatted values.yaml file must be prepared to contain all custom configuration parameters.

Step-by-Step Installation Workflow

The installation process follows a strict sequence of commands to ensure the local Helm environment is synchronized with the official GitLab repositories.

  1. Add the official GitLab Helm repository to the local environment:
    helm repo add gitlab https://charts.gitlab.io

  2. Update the local repository metadata to ensure the latest chart versions are visible:
    helm repo update gitlab

  3. Search the repository to verify the available versions of the GitLab Runner chart:
    helm search repo -l gitlab/gitlab-runner

  4. Execute the installation command based on the version of Helm being utilized. It is critical to note that Helm 2 and Helm 3 utilize different syntax for installation.

For administrators utilizing Helm 3 (the modern standard):
helm install --namespace <NAMESPACE> gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner

For administrators utilizing the legacy Helm 2:
helm install --namespace <NAMESPACE> --name gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner

In these commands, <NAMESPACE> represents the specific Kubernetes namespace where the runner will reside, and <CONFIG_VALUES_FILE> points to the path of the customized values.yaml file. If a specific version of the chart is required to match a specific runner version, the --version <RUNNER_HELM_CHART_VERSION> flag must be appended to the helm install command. It is important to exercise caution when mixing versions, as more recent values.yaml configurations may not be compatible with older versions of the Helm chart.

Advanced Scalability and Multi-Cluster Strategies

One of the most significant advantages of the Kubernetes-based runner architecture is the ability to implement sophisticated scaling and multi-cluster strategies. This is particularly vital for organizations with massive, heterogeneous user bases.

Scaling Dynamics

In a highly optimized environment, Kubernetes runners can exhibit extreme elasticity. For example, a well-configured cluster can scale from 0 to 100 pods almost instantly to meet a sudden surge in pipeline demands. This scaling can be distributed across more than 20 individual nodes. Furthermore, the infrastructure can be expanded to support 200 or more concurrent jobs seamlessly by adding more nodes to the underlying Kubernetes cluster. This capacity to handle rapid spikes—such as transitioning from zero to 100 jobs within a single minute—is a hallmark of the Kubernetes executor.

Specialized Cluster Environments

A "silver bullet" approach to shared runners is often impossible in complex organizations. Different user groups require different environments, capabilities, and access levels. By utilizing multiple Kubernetes clusters, an organization can provide specialized runner instances:

  • Default Cluster: This serves as the primary workhorse, providing generic runners that can accommodate the vast majority of standard CI/CD tasks.
  • CVMFS Cluster: This is a specialized cluster designed to work with the CernVM File System (CVMFS). CVMFS is a scalable, reliable, and low-maintenance software distribution service, making this cluster essential for specific research and scientific computing workflows.

This multi-cluster approach ensures that a machine learning developer's heavy workload does not starve a software engineer's lightweight build process, and that the specific filesystem requirements of physicists are met without complicating the general-purpose infrastructure.

Troubleshooting and Configuration Validation

Deploying GitLab Runners in a Kubernetes environment is not without technical challenges. Errors often arise from misconfigurations in the values.yaml file or issues with runner registration and connectivity.

Common Configuration Errors

One common issue involves the use of experimental features or incorrect schema annotations. If the values.yaml file does not adhere to the expected JSON schema, the runner may fail to initialize correctly. A frequent error relates to the pull_policy setting within the Kubernetes executor configuration.

An example of a schema validation error is:
jsonschema: '/runners/0/kubernetes/pull_policy' does not validate with https://gitlab.com/gitlab-org/gitlab-runner/common/config#/$ref/properties/runners/items/$ref/properties/kubernetes/$ref/properties/pull_policy/$ref/type: expected array, but got null

This indicates that the configuration expected an array format for the pull policy but received a null value, which can prevent the runner from correctly pulling container images for jobs.

Runner Health and Connectivity Issues

Even when the runner pod is successfully running within the Kubernetes cluster, it may not appear in the GitLab User Interface (UI). This often points to a failure in the runner's ability to communicate with the GitLab instance or an authentication failure.

Key indicators of a failing runner include:

  • Forbidden errors during job checks:
    ERROR: Checking for jobs... forbidden runner=gitlab-r

  • Unhealthy runner status:
    ERROR: Runner "https://gitlab.<abc>.com/gitlab-runner-token" is unhealthy and will be disabled for 1h0m0s seconds! unhealthy_requests=3 unhealthy_requests_limit=3

When a runner exceeds the unhealthy_requests_limit (in this case, 3 requests), GitLab will automatically disable the runner for a cooling-off period (1 hour) to prevent further instability. Administrators must investigate the runner's logs and ensure that the registration token and network connectivity to the GitLab instance are valid.

Security Frameworks and Future Directions

As organizations transition to Kubernetes runners, security becomes a central pillar of the infrastructure design. The deployment of runners must align with organizational security policies to ensure that CI/CD workflows remain compliant and secure. This involves close collaboration with security teams to establish frameworks that promote a security-conscious culture, ensuring that the automated execution of code does not introduce vulnerabilities into the production environment.

The Path Toward Privileged Runners

The roadmap for Kubernetes-based runner infrastructure includes the provisioning of privileged Kubernetes runners. The implementation of privileged runners is a critical step in the complete turnover from legacy systems. These runners will eventually allow for more complex tasks that require direct access to the host kernel or specific hardware resources, which were previously handled by the docker machine and OpenStack model. This transition is viewed as a challenging but necessary evolution to fully replace the older infrastructure and complete the migration to a modern, container-native CI/CD ecosystem.

Analysis of Infrastructure Transition

The migration from docker machine based virtual machines to Kubernetes-orchestrated runners represents a strategic move toward operational excellence. The primary drivers for this change are the inherent limitations of legacy scaling models and the increasing complexity of modern software development lifecycles. By leveraging the Kubernetes executor, organizations gain the ability to treat CI/CD capacity as a dynamic, elastic resource rather than a static, depreciating asset.

The implementation of multi-cluster strategies allows for the segregation of concerns, ensuring that specialized workloads—such as those requiring CVMFS—are isolated from generic development tasks. This not only improves performance but also enhances the reliability of the entire ecosystem. While the transition introduces new complexities in terms of Helm chart management, JSON schema validation, and Kubernetes namespace orchestration, the benefits of reduced operational costs and increased job concurrency are substantial. The move toward privileged runners suggests that the ultimate goal is a total replacement of legacy virtualization, providing a unified, scalable, and highly secure environment for the next generation of scientific and software engineering advancement.

Sources

  1. GitLab Runners and Kubernetes: A Powerful Duo for CI/CD
  2. GitLab Runner Helm chart Documentation
  3. GitLab Forum: Gitlab runner deploy on Kubernetes

Related Posts