forgejo-runner/examples/kubernetes/README.md

# Kubernetes Docker in Docker Deployment

Registers Kubernetes Pod runners using [offline registration](https://forgejo.org/docs/latest/admin/runner-installation/#offline-registration), allowing the scaling of runners as needed.

NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context.

[`dind-docker.yaml`](dind-docker.yaml) creates a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.

Do not forget to update `FORGEJO_INSTANCE_URL` value.

# Build you first container image
First, you will need to generate an Applications Access token with the permission `write:package` (see [doc](https://forgejo.org/docs/latest/user/token-scope/)), usually from https://your-forgejo.fr/user/settings/applications.

Then, you will create 2 forgejo Actions [Secrets](https://forgejo.org/docs/latest/user/actions/#secrets):
  - `USERNAME_WRITE_REPOSITORY` containing Token name
  - `PASSWORD_WRITE_REPOSITORY` containing Token value

And you can then, use the [`build.yaml`](build.yaml) file provided as exemple.

This file must be created in your repository under: `.forgejo/workflows/build.yaml`
Improve doc and add full example for Kubernetes (#657) Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/657 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> Co-committed-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> 2025-07-03 15:22:24 +00:00			`# Kubernetes Docker in Docker Deployment`
Documentation enhancements (#207) This PR addresses the issue listed in issue #170 regarding how to set up rootless Docker. It also expands on the documentation to show how to create deployments for different environments. Co-authored-by: ccureau <ccureau@noreply.gitea.io> Reviewed-on: https://gitea.com/gitea/act_runner/pulls/207 Reviewed-by: Jason Song <i@wolfogre.com> Co-authored-by: Chris Cureau <cmcureau@gmail.com> Co-committed-by: Chris Cureau <cmcureau@gmail.com> 2023-06-05 08:46:15 +00:00
Improve doc and add full example for Kubernetes (#657) Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/657 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> Co-committed-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> 2025-07-03 15:22:24 +00:00			`Registers Kubernetes Pod runners using [offline registration](https://forgejo.org/docs/latest/admin/runner-installation/#offline-registration), allowing the scaling of runners as needed.`
[FORGEJO] update Kubernetes example README 2023-08-17 10:43:07 +01:00
Documentation enhancements (#207) This PR addresses the issue listed in issue #170 regarding how to set up rootless Docker. It also expands on the documentation to show how to create deployments for different environments. Co-authored-by: ccureau <ccureau@noreply.gitea.io> Reviewed-on: https://gitea.com/gitea/act_runner/pulls/207 Reviewed-by: Jason Song <i@wolfogre.com> Co-authored-by: Chris Cureau <cmcureau@gmail.com> Co-committed-by: Chris Cureau <cmcureau@gmail.com> 2023-06-05 08:46:15 +00:00			NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context.

Improve doc and add full example for Kubernetes (#657) Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/657 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> Co-committed-by: Grégoire Bellon-Gervais <gregoire.bellon-gervais@docaposte.fr> 2025-07-03 15:22:24 +00:00			[`dind-docker.yaml`](dind-docker.yaml) creates a Deployment and Secret for Kubernetes to act as a runner. The Docker credentials are re-generated each time the pod connects and does not need to be persisted.

			Do not forget to update `FORGEJO_INSTANCE_URL` value.

			`# Build you first container image`
			First, you will need to generate an Applications Access token with the permission `write:package` (see [doc](https://forgejo.org/docs/latest/user/token-scope/)), usually from https://your-forgejo.fr/user/settings/applications.

			`Then, you will create 2 forgejo Actions [Secrets](https://forgejo.org/docs/latest/user/actions/#secrets):`
			- `USERNAME_WRITE_REPOSITORY` containing Token name
			- `PASSWORD_WRITE_REPOSITORY` containing Token value

			And you can then, use the [`build.yaml`](build.yaml) file provided as exemple.

			This file must be created in your repository under: `.forgejo/workflows/build.yaml`