★Start Free★
Guides

Configuring Self-Hosted Runners for Jit

Additional requirements needed in case self-hosted runners are used

Suggest Edits

This guide explains how to configure self-hosted runners for Jit. In this guide, we will configure your self-hosted runners so that Jit's security scans can run on them smoothly.

Prerequisites

Before configuring self-hosted runners, ensure the following:

  • Runner Environment: Use a compatible amd64 architecture (x86) machine.
  • Tools Installed: NEED TO VERIFY FOR EC2 NOT NEED FOR K8s
    • git
    • jq
    • nodejs
    • npm
  • Docker Installed: Runners rely on Docker to execute jobs.

Kubernetes Setup

  1. after finishing the onboarding, go to admin portal and generate credentials.
  2. Apply creds on your cluster:
    1. Clone this repo - https://github.com/jitsecurity/jit-customer-scripts locally
    2. Go to src/kubernetes/jit_ecr
    3. Update the values.yml file with Jit client Id and token created in the previous step inside the quotes.
    4. Apply the helm chart to the cluster helm install jit-ecr and make sure credentials were created when running logs command on the pod

      📘

      Note

      if you prefer Jit runners to run on another namespace - change the namespace parameter in the values.yaml

  3. GitLab runners require Jit's ECR access configured in step #2, Set the runners.kubernetes image configuration to the secret generated in the previous step, sample snippet from the runner's configuration:
runners: 
  config: |
    [[runners]]
      name = "gitlab-runner"
      executor="kubernetes"
      [runners.kubernetes]
         poll_timeout = 2000
         node_selector_overwrite_allowed = ".*"
         image_pull_secrets=["jit-registry-creds"] # <-- important to pull from Jit private registry
         pull_policy=["always"] # <-- important as we use latest images.
         namespace="<your_namespace>" # Only if you install the runners in a different namespace

EC2 Setup

  1. Start an SSH tunnel to the desired instance.
  2. Enable privileged mode for Docker in the runner configuration:
sudo nano /etc/gitlab-runner/config.toml

Add:

[runners.docker]
privileged = true

Troubleshooting Common Issues

Docker Privilege Errors

If you encounter errors like these:

AppArmor detection and --privileged mode might break.  
mount: permission denied (are you root?)

Ensure the following is set in /etc/gitlab-runner/config.toml:

[runners.docker]  
privileged = true

Platform Mismatch Errors

Ensure your runner uses amd64 architecture:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8)

Jobs Stuck on "Pending"

If jobs are stuck despite the runner being active:

  1. Ensure Run untagged jobs is checked.
  2. Verify job tags match the runner tags.

Updated 5 days ago