fix: prevent DinD containers escaping the pod cgroup on cgroup v2 (#624)

masontikhonov · web-flow · commit caf34c7744f4 · 2025-09-23T12:34:29.000+04:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 8.3.10
+version: 8.3.11
 keywords:
   - codefresh
   - runner
@@ -14,11 +14,17 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   # 💡 Do not forget to update this annotation:
-  artifacthub.io/containsSecurityUpdates: "true"
+  artifacthub.io/containsSecurityUpdates: "false"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: security
-      description: "Updated gcloud-builder with security fixes"
+    - kind: changed
+      description: "Update \"dind\" to 28.3.3-3.0.3"
+    - kind: changed
+      description: "Update \"engine\" to 1.180.2"
+    - kind: fixed
+      description: "Prevent DinD containers escaping the pod cgroup on cgroup v2. Rootless DinD requires additional configuration on cgroup v2, see \"Rootless DinD\" section in docs for details."
+    - kind: fixed
+      description: "Enable legacy Prometheus metrics in the \"engine\" only if METRICS_PROMETHEUS_ENABLED=true."
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 8.3.10](https://img.shields.io/badge/Version-8.3.10-informational?style=flat-square)
+![Version: 8.3.11](https://img.shields.io/badge/Version-8.3.11-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -827,6 +827,11 @@ runtime:
       enabled: true
 ```
 
+> [!WARNING]
+> When running in rootless mode on cgroup v2 nodes, to ensure correct handling of OOM events, set `singleProcessOOMKill=true` (available in k8s ≥1.32) in the Kubelet configuration.
+>
+> Ref: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
+
 ### ARM
 
 With the Codefresh Runner, you can run native ARM64v8 builds.
@@ -1299,7 +1304,7 @@ Install the Helm chart
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"},"image":{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"},"image":{"digest":"sha256:3a817abd8f71c900fcb62a68a1c3123d1037fecf836f4005e3d96d388263d13e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.3"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.containerSecurityContext | object | `{}` | Set container security context. |
 | runtime.dind.env | object | `{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"}` | Set additional env vars. |
@@ -1310,7 +1315,7 @@ Install the Helm chart
 | runtime.dind.env.IMAGE_RETAIN_PERIOD | string | `"14400"` | Do not delete Docker images if they have events newer than `NOW minus IMAGE_RETAIN_PERIOD` |
 | runtime.dind.env.INODES_USAGE_THRESHOLD | string | `"0.8"` | Run cleanup if current inodes usage exceeds INODES_USAGE_THRESHOLD |
 | runtime.dind.env.VOLUMES_RETAIN_PERIOD | string | `"14400"` | Do not delete Docker volumes if they have events newer than `NOW minus VOLUMES_RETAIN_PERIOD` |
-| runtime.dind.image | object | `{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"}` | Set dind image. |
+| runtime.dind.image | object | `{"digest":"sha256:3a817abd8f71c900fcb62a68a1c3123d1037fecf836f4005e3d96d388263d13e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.3"}` | Set dind image. |
 | runtime.dind.nodeSelector | object | `{}` | Set node selector. |
 | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.dind.podLabels | object | `{}` | Set pod labels. |
@@ -1331,7 +1336,7 @@ Install the Helm chart
 | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts |
 | runtime.dind.userVolumes | object | `{}` | Add extra volumes |
 | runtime.dindDaemon | object | See below | DinD pod daemon config |
-| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":false,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:2783d4d43d2c374003820ca68fb820352c75272b48945471efd6533d9bf01693","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.180.0"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:542a9711f17be40174c66263e7a289be9306ac031ddad8c6cb84773644865b5c","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.5"},"container-logger":{"digest":"sha256:5a109961927eeff5e3155e0bb9be5d2270e9a9ec76ddcba1a01d8681ee7dc5bc","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.13.1"},"cosign-image-signer":{"digest":"sha256:308dbb83992e6a13c46f3c76a8e082e6c5e212045bfaff699ccfe7f56366c543","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.2-cf.2"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:e3394318954fd39e6d3d05c83d93a0432ec2ecdbd5ccae43c711d228b7bc7b5c","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.8"},"docker-puller":{"digest":"sha256:fa42ad5b90231cf176c60dada614b8bbdace1b06f90fb305a30436a24739c6c0","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.23"},"docker-pusher":{"digest":"sha256:95697a8e7a1ee44ca6bb8b73a5e13fddb8709db2d25f63ceb65cc88492430290","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.21"},"docker-tag-pusher":{"digest":"sha256:ec4416525bbf4912786035fbb2e1f26ae04f94559c535f02232b48eb0a1c5fa7","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.19"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:6c903023c20dd486dbdcbce990b81746e1a54e404e912a2b11dca65a9faf16f3","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.4"},"git-cloner":{"digest":"sha256:91c36338bc191b6c17111bc9672302fece527b5d6a545173b889c70e31efafc9","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.3"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:61eba0921344478f7e124e957b4eedcc8fea09ae562ee1f5e18773a93d66acd2","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.10"},"template-engine":{"digest":"sha256:e465641ec172975c670120ec46128a5781db406b874edcf1257bd8d8f29aa35c","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.7"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
+| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":false,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:29e61a6a6ad9a86623beafac30aad9fc72d51d576bf80a5785f3ca74804808e5","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.180.2"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:542a9711f17be40174c66263e7a289be9306ac031ddad8c6cb84773644865b5c","registry":"quay.io","repository":"codefresh/compose","tag":"v2.37.0-1.5.5"},"container-logger":{"digest":"sha256:5a109961927eeff5e3155e0bb9be5d2270e9a9ec76ddcba1a01d8681ee7dc5bc","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"1.13.1"},"cosign-image-signer":{"digest":"sha256:308dbb83992e6a13c46f3c76a8e082e6c5e212045bfaff699ccfe7f56366c543","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"2.5.2-cf.2"},"default-qemu":{"digest":"sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v9.2.2"},"docker-builder":{"digest":"sha256:e3394318954fd39e6d3d05c83d93a0432ec2ecdbd5ccae43c711d228b7bc7b5c","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.4.8"},"docker-puller":{"digest":"sha256:fa42ad5b90231cf176c60dada614b8bbdace1b06f90fb305a30436a24739c6c0","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.23"},"docker-pusher":{"digest":"sha256:95697a8e7a1ee44ca6bb8b73a5e13fddb8709db2d25f63ceb65cc88492430290","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.21"},"docker-tag-pusher":{"digest":"sha256:ec4416525bbf4912786035fbb2e1f26ae04f94559c535f02232b48eb0a1c5fa7","registry":"quay.io","repository":"codefresh/cf-docker-tag-pusher","tag":"1.3.19"},"fs-ops":{"digest":"sha256:70d53821b9314d88e3571dfb096e8f577caf3e4c2199253621b8d0c85d20b8ad","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.10"},"gc-builder":{"digest":"sha256:6c903023c20dd486dbdcbce990b81746e1a54e404e912a2b11dca65a9faf16f3","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.4"},"git-cloner":{"digest":"sha256:91c36338bc191b6c17111bc9672302fece527b5d6a545173b889c70e31efafc9","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.3"},"kube-deploy":{"digest":"sha256:35649b14eb43717d3752d08597ada77d3737b2508f1b8e1f52f67b7a0e5ff263","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"16.2.9"},"pipeline-debugger":{"digest":"sha256:61eba0921344478f7e124e957b4eedcc8fea09ae562ee1f5e18773a93d66acd2","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.10"},"template-engine":{"digest":"sha256:e465641ec172975c670120ec46128a5781db406b874edcf1257bd8d8f29aa35c","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.7"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
 | runtime.engine.affinity | object | `{}` | Set affinity |
 | runtime.engine.command | list | `["npm","run","start"]` | Set container command. |
 | runtime.engine.env | object | `{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":false,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. |
@@ -1369,7 +1374,7 @@ Install the Helm chart
 | runtime.engine.env.OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ |
 | runtime.engine.env.PYROSCOPE_SERVER_ADDRESS | string | `""` | Pyroscope server address |
 | runtime.engine.env.TRUSTED_QEMU_IMAGES | string | `"tonistiigi/binfmt"` | Trusted QEMU images used for docker builds - when left blank defaults to .runtime.engine.runtimeImages.DEFAULT_QEMU_IMAGE value |
-| runtime.engine.image | object | `{"digest":"sha256:2783d4d43d2c374003820ca68fb820352c75272b48945471efd6533d9bf01693","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.180.0"}` | Set image. |
+| runtime.engine.image | object | `{"digest":"sha256:29e61a6a6ad9a86623beafac30aad9fc72d51d576bf80a5785f3ca74804808e5","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.180.2"}` | Set image. |
 | runtime.engine.nodeSelector | object | `{}` | Set node selector. |
 | runtime.engine.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.engine.podLabels | object | `{}` | Set pod labels. |
diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -827,6 +827,11 @@ runtime:
       enabled: true
 ```
 
+> [!WARNING]
+> When running in rootless mode on cgroup v2 nodes, to ensure correct handling of OOM events, set `singleProcessOOMKill=true` (available in k8s ≥1.32) in the Kubelet configuration.
+>
+> Ref: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
+
 ### ARM
 
 With the Codefresh Runner, you can run native ARM64v8 builds.
diff --git a/charts/cf-runtime/values-rootless.yaml b/charts/cf-runtime/values-rootless.yaml
@@ -19,7 +19,7 @@ volumeProvisioner:
 runtime:
   dind:
     image:
-      tag: 28.1.1-3.0.1-rootless
+      tag: 28.3.3-3.0.3-rootless
       digest: sha256:4140e74134a5dd2874731ea5de852d9d23698965b16fa3bb947a36ca806e01a2
     userVolumeMounts:
       dind:
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
