Home

Awesome

Kubernoodles

Kubernoodles is a framework for managing custom self-hosted runners for GitHub Actions in Kubernetes at the enterprise-wide scale. The design goal is to easily bootstrap a system where customized self-hosted runners update, build, test, deploy, and scale themselves with minimal interaction from enterprise admins and maximum input from the developers using it.

This is an opinionated reference implementation, designed to be taken and modified to your liking. I use this to test GitHub Actions on my personal account, GitHub Enterprise Cloud (SaaS) or GitHub Enterprise Server (self-hosted) from Docker Desktop, a Raspberry Pi cluster for arm64, a managed Kubernetes provider, and other random platforms as needed. Your implementation may look wildly different, etc.

:question: Are you a GitHub Enterprise admin that's new to GitHub Actions? Don't know how to set up self-hosted runners at scale? Start here!

Pull requests welcome! :heart:

Setup

The admin introduction walks you through some key considerations on how to think about implementing GitHub Actions at the enterprise scale, the implications of those decisions, and why this project is generally built out the way it is.

The admin setup is a mostly copy-and-paste exercise to get a basic deployment up and going.

The customization guide has a quick writeup and links to learn more about the ways you can customize things to your needs.

Tips and tricks has a few more considerations if things aren't quite going according to plan.

Choosing the image(s)

There are currently 5 images that are "prebuilt" by this project, although you can certainly use others or build your own! All images assume that they are ephemeral. If you're copy/pasting out of the deployments, you should be set ... provided you give it the right repository/organization/enterprise to use!

<!-- START_SECTION:table -->
image namebase imageCVE count<br>(crit/high/med+below)archsvirtualization?sudo?notes
ubi8ubi8-init:8.100/4/552x86_64<br>arm64:x::x:n/a
ubi9ubi9-init:9.50/4/546x86_64<br>arm64:x::x:n/a
rootless-ubuntu-jammyubuntu:jammy (22.04 LTS)0/4/170x86_64<br>arm64rootless Docker-in-Docker:x:common rootless problems
rootless-ubuntu-numbatubuntu:numbat (24.04 LTS)0/4/86x86_64<br>arm64rootless Docker-in-Docker:x:common rootless problems
wolfi:latestwolfi-base:latest0/1/0x86_64<br>arm64:x::x:n/a
<!-- END_SECTION:table --> <!-- START_SECTION:date -->

[!NOTE] CVE count was done on 17 November 2024 with the latest versions of grype and runner image tags.

<!-- END_SECTION:date -->

Design goals and compromises

There are a few assumptions that go into this that aren't necessarily true or best practices outside of an enterprise "walled garden". Being approachable and readable are the most important goals of all code and documentation. As a reference implementation, this isn't a turn-key solution, but the amount of fiddling needed should be up to you as much as possible. Links to the appropriate documentation, resources to learn more where needed, and explanations of design choices will be included!

Co-tenanted business systems tend to have small admin teams running services (like GitHub Enterprise) available to a large group of diverse internal users. That system places a premium on people-overhead more than computer-overhead. The implication of that is an anti-pattern where there are larger containers capable of lots of different things instead of discrete, "microservices" type containers.

Moving data around locally is exponentially cheaper and easier than pulling data in from external sources, especially in a larger company. Big containers are not scary if the registry, the compute, and the entire network path is all within the same datacenter or availability zone. Caching on-site is important to prevent rate-limiting by upstream providers, as that can take down other services and users that rely on them. This also provides a mechanism for using a "trusted" package registry, common in enterprise environments, using an .env file as outlined here.

Sources

These are all excellent reads and can provide more insight into the customization options and updates than are available in this repository. This entire repository is mostly gluing a bunch of these other bits together and explaining how/why to make this your own.

Learn more

Dependencies of note

[!NOTE] GHES users prior to 3.9, please navigate back to tag v0.9.6 (release) for the APIs that'll work for you. :heart: