docs(deployments): explain Docker vs Kubernetes runner internals and trade-offs#20054
docs(deployments): explain Docker vs Kubernetes runner internals and trade-offs#20054joeduffy wants to merge 2 commits into
Conversation
…trade-offs Adds a new section to the customer-managed runners concepts page that explains what actually happens when a workflow runner claims a job under each deploy_target: the Docker target launches a runner container over the local Docker socket (and needs a mounted socket or Docker-in-Docker if the runner process itself is containerized), while the Kubernetes target creates a Pod through the in-cluster API and needs no privileged access. Adds a compact comparison table covering isolation, privileged access, best fit, and ephemeral-runner support, and cross-links to the existing Scaling and concurrency section for the 1:1 runner-to-job relationship. Fixes #13218
Pre-merge Review — Last updated 2026-07-02T15:17:53ZTip Summary: This PR adds a new "How Docker and Kubernetes deploy targets execute jobs" section to the customer-managed runners concept page ( Review confidence:
Investigation log
🔍 Verification trail18 claims extracted · 17 verified · 0 unverifiable · 0 contradicted
🚨 Outstanding in this PRNo outstanding findings in this PR.
|
|
Your site preview for commit 9000356 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-20054-90003566.s3-website.us-west-2.amazonaws.com |
…g and concurrency Addresses pre-merge review feedback: the new section overstated the 1:1 runner-to-job relationship as strict single-job exclusivity, but the linked Scaling and concurrency guide is more precise — a runner runs one deployment at a time, optionally alongside a single Insights scan or policy evaluation in parallel. Scopes the claim to deployments and names that exception. Also drops a weasel word flagged by prose linting.
|
@claude #update-review — pushed a fix for the L60 concurrency-framing finding (scoped the claim to match the Scaling and concurrency guide's one-deployment-plus-optional-parallel-task model) and removed the weasel word on line 69. |
|
🤖 Review updated on @joeduffy's request. |
This adds the missing internals and trade-off documentation requested in #13218: a customer had a lot of questions about how the Docker (DinD) and Kubernetes customer-managed workflow runner configurations differ under the hood, and the docs didn't explain either one's architecture or the trade-offs between them.
The new section, "How Docker and Kubernetes deploy targets execute jobs," lives on the customer-managed runners concepts page right after the feature overview and before the credentials/configuration reference, since it explains the architecture that the configuration options below it control. It covers:
deploy_target: docker— a long-running process talks to a Docker daemon over the local Docker socket and launches a dedicatedworkflow-runner-embeddablecontainer per job — and why running the runner process itself inside a container typically requires either a mounted host Docker socket or a nested Docker-in-Docker (DinD) daemon.deploy_target: kubernetes— the runner creates a Pod per job through the in-cluster Kubernetes API, needing only standard Pod-creation RBAC, with no Docker socket or privileged containers involved.I verified the technical claims against the existing configuration reference on the same page (the
deploy_target,working_directory, andenv_forward_allowlist/DOCKER_HOSTcomments already describe the Docker-socket and runner-container mechanics) and against the "Kubernetes-native Option for Pulumi Deployments Customer-Managed Agents" blog post, which states the Kubernetes option doesn't require Docker-in-Docker or privileged execution.🧠 This PR was created by workprentice on behalf of @joeduffy.