From 7c99cecdc302a140690f87ecd77dc76b6dbed2f9 Mon Sep 17 00:00:00 2001
From: alexrecuenco <26118630+alexrecuenco@users.noreply.github.com>
Date: Wed, 24 Jun 2026 12:08:21 +0200
Subject: [PATCH] (feat) Rootless dind mode

Currently we cant overwrite the dind deployment to use rootless mode, this updates the dind deployment to use rootless mode instead of privileged mode
---
 charts/gha-runner-scale-set/templates/_helpers.tpl | 11 ++++++++++-
 charts/gha-runner-scale-set/values.yaml            |  4 ++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/charts/gha-runner-scale-set/templates/_helpers.tpl b/charts/gha-runner-scale-set/templates/_helpers.tpl
index 4ad4bfef9f..13aa4445f0 100644
--- a/charts/gha-runner-scale-set/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set/templates/_helpers.tpl
@@ -110,7 +110,8 @@ volumeMounts:
 {{- end }}
 
 {{- define "gha-runner-scale-set.dind-container" -}}
-image: docker:dind
+{{- $rootless := and .Values.containerMode (.Values.containerMode.rootless) }}
+image: {{ if $rootless }}docker:dind-rootless{{ else }}docker:dind{{ end }}
 args:
   - dockerd
   - --host=unix:///var/run/docker.sock
@@ -119,7 +120,15 @@ env:
   - name: DOCKER_GROUP_GID
     value: "123"
 securityContext:
+{{- if $rootless }}
+  privileged: false
+  appArmorProfile:
+    type: Unconfined
+  seccompProfile:
+    type: Unconfined
+{{- else }}
   privileged: true
+{{- end }}
 {{- if (ge (.Capabilities.KubeVersion.Minor | int) 29) }}
 restartPolicy: Always
 startupProbe:
diff --git a/charts/gha-runner-scale-set/values.yaml b/charts/gha-runner-scale-set/values.yaml
index 4b4640cf9e..1295e8c5b7 100644
--- a/charts/gha-runner-scale-set/values.yaml
+++ b/charts/gha-runner-scale-set/values.yaml
@@ -118,6 +118,10 @@ githubConfigSecret:
 ## empty, and configuration should be applied to the template.
 # containerMode:
 #   type: "dind"  ## type can be set to "dind", "kubernetes", or "kubernetes-novolume"
+#   ## When containerMode.type=dind, set rootless to true to run the dind container
+#   ## using the "docker:dind-rootless" image without privileged mode. The dind
+#   ## container instead runs with an Unconfined AppArmor and seccomp profile.
+#   rootless: false
 #   ## the following is required when containerMode.type=kubernetes
 #   kubernetesModeWorkVolumeClaim:
 #     accessModes: ["ReadWriteOnce"]