Version 1.0.0
Language EN

Kubernetes

The goal of this document is to give you enough technical specifics to configure and run the Drone on Kubernetes. Support for Kubernetes is experimental. If you are interested in helping improve and productionalize the Drone Kubernetes Engine please contact us.

Prerequisites

Create a Shared Secret

Create a shared secret to authenticate communication between Pipeline controllers and your central Drone server. This shared secret is passed to both the server using the DRONE_RPC_SECRET environment variable.

You can use openssl to generate a shared secret:

$ openssl rand -hex 16
bea26a2221fd8090ea38720fc445eca6

Container Configuration

The Drone server is distributed as a Docker container and can be configured to run in Kubernetes. The container is configured with environment variables. For a complete list of configuration parameters, please see the configuration reference.

apiVersion: v1
kind: Pod

spec:
  containers:
  - name: drone
    image: drone/drone:1.0.0
    env:
    - name: DRONE_KUBERNETES_ENABLED
      value: true
    - name: DRONE_KUBERNETES_NAMESPACE
      value: default
    - name: DRONE_GITEA_SERVER
      value: {% your-gitea-server-address %}
    - name: DRONE_RPC_SECRET
      value: {% your-shared-secret %}
    - name: DRONE_SERVER_HOST
      value: {% your-drone-server-host %}
    - name: DRONE_SERVER_PROTO
      value: {% your-drone-server-protocol %}
    ports:
      - containerPort: 80
      - containerPort: 443

Job Cleanup

The Drone server spawns a Job for each Pipeline execution. These jobs are not automatically deleted unless you enable the TTLAfterFinished feature gate. Enabling this feature is highly recommended.

Configuration Reference

This section provides additional explanation of the configuration variables used earlier in this document. This represents a subset of configuration parameters. For a full list please see the configuration reference.

DRONE_KUBERNETES_ENABLED

An required boolean parameter instructs Drone to use the Kubernetes Runtime Engine for pipeline execution.

DRONE_KUBERNETES_ENABLED=true

DRONE_KUBERNETES_NAMESPACE

An optional string provides the Kubernetes namespace in which Pipeline Controllers are created and executed.

DRONE_KUBERNETES_NAMESPACE=default

DRONE_GITEA_SERVER

A string containing your Gitea server address.

DRONE_GITEA_SERVER=https://gitea.domain.com

DRONE_GIT_ALWAYS_AUTH

Boolean value configures Drone to authenticate when cloning public repositories. This is only required when your source code management system (e.g. GitHub Enterprise) has private mode enabled.

DRONE_GIT_ALWAYS_AUTH=false

DRONE_RPC_SECRET

Required string literal value provides the drone shared secret. This is used to authenticate the rpc connection to the server. The server and agent must be provided the same secret value.

DRONE_RPC_SECRET=9c3921e3e748aff725d2e16ef31fbc42

DRONE_SERVER_PROTO

A string containing your Drone server protocol scheme. This value should be set to http or https. This field defaults to https if you configure ssl or acme.

DRONE_SERVER_PROTO=https

DRONE_SERVER_HOST

A string containing your Drone server hostname or IP address.

DRONE_SERVER_HOST=drone.domain.com

DRONE_TLS_AUTOCERT

An boolean indicating debug level logs should be use for automatic SSL certification generation and configuration. The default value is false.

DRONE_TLS_AUTOCERT=false

Common Errors

namespaces is forbidden

The Drone server creates a Namespace for each Pipeline to ensure isolation and simple cleanup. The following error indicates Drone is not authorized to create or delete namespaces:

namespaces is forbidden: User "system:serviceaccount:default:default"
cannot create namespaces at the cluster scope

The can be resolved by authorizing namespace management:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: drone-rbac
subjects:
  - kind: ServiceAccount
    # Reference to upper's `metadata.name`
    name: default
    # Reference to upper's `metadata.namespace`
    namespace: default
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
kubectl apply -f drone-rbac.yml 

On This Page:

Getting Help

Mailing List
Search for information in the mailing list archives, or post a question.
Chat Support
Real-time chat support from maintainers and community members.