act_runner/examples/kubernetes/dind-docker.yaml

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: runner-vol
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: standard
---
apiVersion: v1
data:
  # The registration token can be obtained from the web UI, API or command-line.
  # You can also set a pre-defined global runner registration token for the Gitea instance via
  # `GITEA_RUNNER_REGISTRATION_TOKEN`/`GITEA_RUNNER_REGISTRATION_TOKEN_FILE` environment variable.
  token: << base64 encoded registration token >>
kind: Secret
metadata:
  name: runner-secret
type: Opaque
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: runner
  name: runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: runner
  strategy: {}
  template:
    metadata:
      labels:
        app: runner
    spec:
      restartPolicy: Always
      volumes:
      - name: docker-socket
        emptyDir: {}
      - name: runner-data
        persistentVolumeClaim:
          claimName: runner-vol
      initContainers:
      - name: docker
        image: docker:28.2.2-dind
        securityContext:
          privileged: true
        volumeMounts:
        - name: docker-socket
          mountPath: /var/run
        startupProbe:
          exec:
            command: ["/usr/bin/test", "-S", "/var/run/docker.sock"]
        livenessProbe:
          exec:
            command: ["/usr/bin/test", "-S", "/var/run/docker.sock"]
        restartPolicy: Always
      containers:
      - name: runner
        image: gitea/runner:nightly
        env:
        - name: GITEA_INSTANCE_URL
          value: http://gitea-http.gitea.svc.cluster.local:3000
        - name: GITEA_RUNNER_REGISTRATION_TOKEN
          valueFrom:
            secretKeyRef:
              name: runner-secret
              key: token
        volumeMounts:
        - name: runner-data
          mountPath: /data
        - name: docker-socket
          mountPath: /var/run