From 00b7fec80fa2d42040772842af3e877b9833544d Mon Sep 17 00:00:00 2001
From: thisisqasim <40013+thisisqasim@noreply.gitea.com>
Date: Thu, 14 May 2026 05:52:41 +0000
Subject: [PATCH] Simplify kubernetes dind example allowing for default docker
 config in workflows (#709)

With this docker clients in workflows can connect on the default socket without needing to change DOCKER_HOST. Startup probe also removes the need for custom shell command.

Co-authored-by: silverwind <me@silverwind.io>
Reviewed-on: https://gitea.com/gitea/runner/pulls/709
Co-authored-by: thisisqasim <40013+thisisqasim@noreply.gitea.com>
Co-committed-by: thisisqasim <40013+thisisqasim@noreply.gitea.com>
---
 examples/kubernetes/README.md            |  4 +++
 examples/kubernetes/dind-docker.yaml     | 41 +++++++++++-------------
 examples/kubernetes/rootless-docker.yaml |  4 +--
 3 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
index 79acc562..c755c885 100644
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@@ -2,6 +2,10 @@
 
 NOTE: Docker in Docker (dind) requires elevated privileges on Kubernetes. The current way to achieve this is to set the pod `SecurityContext` to `privileged`. Keep in mind that this is a potential security issue that has the potential for a malicious application to break out of the container context.
 
+NOTE: `dind-docker.yaml` uses the native sidecar pattern (init container with `restartPolicy: Always`), which requires Kubernetes 1.29+ (or 1.28 with the `SidecarContainers` feature gate).
+
+NOTE: A helm chart for `gitea-runner` also exists for easier deployments https://gitea.com/gitea/helm-actions
+
 Files in this directory:
 
 - [`dind-docker.yaml`](dind-docker.yaml)
diff --git a/examples/kubernetes/dind-docker.yaml b/examples/kubernetes/dind-docker.yaml
index b247f3d9..ce3b4a22 100644
--- a/examples/kubernetes/dind-docker.yaml
+++ b/examples/kubernetes/dind-docker.yaml
@@ -4,7 +4,7 @@ metadata:
   name: runner-vol
 spec:
   accessModes:
-    - ReadWriteOnce
+  - ReadWriteOnce
   resources:
     requests:
       storage: 1Gi
@@ -35,28 +35,35 @@ spec:
   strategy: {}
   template:
     metadata:
-      creationTimestamp: null
       labels:
         app: runner
     spec:
       restartPolicy: Always
       volumes:
-      - name: docker-certs
+      - name: docker-socket
         emptyDir: {}
       - name: runner-data
         persistentVolumeClaim:
           claimName: runner-vol
+      initContainers:
+      - name: docker
+        image: docker:28.2.2-dind
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-socket
+          mountPath: /var/run
+        startupProbe:
+          exec:
+            command: ["/usr/bin/test", "-S", "/var/run/docker.sock"]
+        livenessProbe:
+          exec:
+            command: ["/usr/bin/test", "-S", "/var/run/docker.sock"]
+        restartPolicy: Always
       containers:
       - name: runner
         image: gitea/runner:nightly
-        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
         env:
-        - name: DOCKER_HOST
-          value: tcp://localhost:2376
-        - name: DOCKER_CERT_PATH
-          value: /certs/client
-        - name: DOCKER_TLS_VERIFY
-          value: "1"
         - name: GITEA_INSTANCE_URL
           value: http://gitea-http.gitea.svc.cluster.local:3000
         - name: GITEA_RUNNER_REGISTRATION_TOKEN
@@ -65,17 +72,7 @@ spec:
               name: runner-secret
               key: token
         volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
         - name: runner-data
           mountPath: /data
-      - name: daemon
-        image: docker:23.0.6-dind
-        env:
-        - name: DOCKER_TLS_CERTDIR
-          value: /certs
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
+        - name: docker-socket
+          mountPath: /var/run
diff --git a/examples/kubernetes/rootless-docker.yaml b/examples/kubernetes/rootless-docker.yaml
index f9678dfb..7f357e44 100644
--- a/examples/kubernetes/rootless-docker.yaml
+++ b/examples/kubernetes/rootless-docker.yaml
@@ -4,7 +4,7 @@ metadata:
   name: runner-vol
 spec:
   accessModes:
-    - ReadWriteOnce
+  - ReadWriteOnce
   resources:
     requests:
       storage: 1Gi
@@ -35,7 +35,6 @@ spec:
   strategy: {}
   template:
     metadata:
-      creationTimestamp: null
       labels:
         app: runner
     spec:
@@ -50,7 +49,6 @@ spec:
       - name: runner
         image: gitea/runner:nightly-dind-rootless
         imagePullPolicy: Always
-        # command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
         env:
         - name: DOCKER_HOST
           value: tcp://localhost:2376