Skip to main content
buildkit.enabled
boolean
default:"true"
Enable or disable BuildKit deployment.Required For: PROVIDER: BUILDKIT_KUBERNETES crew deployment mode.When Disabled: Crew container builds will fail unless using an alternative provider.
buildkit.replicaCount
integer
default:"1"
Number of BuildKit daemon replicas.Recommendation: Single replica is sufficient for most deployments. Increase for high-concurrency build environments.

buildkit.image.*

BuildKit container image configuration.
buildkit.image.host
string
default:""
Container registry hosting the BuildKit image.Default: "" (empty) - Automatically uses global.imageRegistry valueFallback Behavior:When buildkit.image.host is empty or not set, the chart uses global.imageRegistry via the crewai-platform.buildkitImageRegistry template helper.Automatic Image Override:When buildkit.enabled: true, the chart automatically sets the BUILDKIT_IMAGE_OVERRIDE environment variable by combining these values:
BUILDKIT_IMAGE_OVERRIDE = <registry>/<name>:<tag>
Where <registry> is determined by: buildkit.image.host OR global.imageRegistry (fallback)This allows the application to reference the same BuildKit image used by the BuildKit service, ensuring version consistency.When imageNamePrefixOverride is Set:The image name is automatically simplified:
  • Original: proxy/crewai/crewai/crewai/buildkit
  • With imageNamePrefixOverride: "crewai/" becomes: crewai/buildkit
See global.imageNamePrefixOverride for details.
buildkit.image.name
string
default:"proxy/crewai/crewai/crewai/buildkit"
BuildKit container image name.Default: "proxy/crewai/crewai/crewai/buildkit" - Matches Replicated proxy path structurePath Transformation:When global.imageNamePrefixOverride is set, only the final component (buildkit) is used with the override prefix.
buildkit.image.tag
string
default:"v2026.0130.11"
BuildKit image version tag.Version Consistency: This tag must match the BuildKit version expected by the CrewAI Platform.
buildkit.image.pullPolicy
string
default:"IfNotPresent"
Image pull policy for BuildKit container.Valid Values:
  • "IfNotPresent" - Pull only if not cached locally (recommended)
  • "Always" - Always pull latest version
  • "Never" - Never pull, use local cache only
buildkit.image.pullSecret
string
default:""
Image pull secret for BuildKit image. If empty, defaults to image.pullSecret.

buildkit.rootless.*

Rootless mode configuration for BuildKit. When enabled, BuildKit runs without requiring a privileged container, improving security by running as a non-root user with user namespace remapping.
buildkit.rootless.enabled
boolean
default:"false"
Enable rootless BuildKit mode.Security Benefits:
  • No privileged container required
  • Runs as non-root user (UID 1000 by default)
  • User namespace remapping for enhanced isolation
Requirements:
  • Kubernetes nodes must allow seccompProfile: Unconfined and appArmorProfile: Unconfined
  • Some Kubernetes platforms (e.g., GKE Autopilot) may not support rootless mode
When Enabled:
  • Uses dedicated rootless BuildKit image
  • Automatically configures security contexts and volume mounts
  • Overrides buildkit.userns settings (deprecated)
buildkit.rootless.image.name
string
default:"proxy/crewai/crewai/crewai/buildkit-rootless"
BuildKit rootless container image name.Path Transformation:When global.imageNamePrefixOverride is set, only the final component (buildkit-rootless) is used with the override prefix.
buildkit.rootless.image.tag
string
default:"v2026.0130.11"
BuildKit rootless image version tag.
buildkit.rootless.runAsUser
integer
default:"1000"
User ID to run rootless BuildKit process.Default: 1000 (standard non-root user)Note: This value is used for both pod and container security contexts.
buildkit.rootless.runAsGroup
integer
default:"1000"
Group ID to run rootless BuildKit process.Default: 1000
buildkit.rootless.fsGroup
integer
default:"1000"
Filesystem group ID for volume ownership.Default: 1000Purpose: Ensures proper volume permissions for rootless user.

buildkit.service.*

BuildKit service configuration.
buildkit.service.type
string
default:"ClusterIP"
Service type for BuildKit.Valid Values:
  • "ClusterIP" - Internal cluster access (recommended)
  • "NodePort" - Expose on node ports (development/testing)
buildkit.service.port
integer
default:"1234"
Service port for BuildKit API.
buildkit.service.nodePort
integer
default:"30000"
NodePort when type: NodePort.

buildkit.userns.* (Deprecated)

This configuration is deprecated in favor of buildkit.rootless mode. Use buildkit.rootless.enabled: true for improved security with rootless BuildKit.
Legacy user namespace configuration for enhanced container isolation.
buildkit.userns.enabled
boolean
default:"false"
Enable legacy user namespace remapping mode.Deprecation Notice: Use buildkit.rootless.enabled: true instead for enhanced security without privileged containers.Security Benefit: Provides additional isolation by mapping container root user to unprivileged host user (when not using rootless mode).Note: This setting is ignored when buildkit.rootless.enabled: true.
buildkit.runAsUser
integer
User ID to run BuildKit process (legacy mode only).Use With: userns.enabled: true (when rootless.enabled: false)For Rootless Mode: Use buildkit.rootless.runAsUser insteadDefault: Undefined (runs as default user)
buildkit.runAsGroup
integer
Group ID to run BuildKit process (legacy mode only).Use With: userns.enabled: true (when rootless.enabled: false)For Rootless Mode: Use buildkit.rootless.runAsGroup insteadDefault: Undefined
buildkit.oci.enabled
boolean
default:"true"
Enable OCI worker for BuildKit.Purpose: Provides OCI-compliant container runtime for builds.
buildkit.containerd.enabled
boolean
default:"false"
Enable containerd worker for BuildKit.Purpose: Alternative runtime to OCI worker. Generally not needed.
buildkit.debug
boolean
default:"false"
Enable debug logging for BuildKit.Use Cases:
  • Troubleshooting build failures
  • Debugging registry authentication issues
  • Performance analysis
buildkit.dockerConfigSecret
string
default:"docker-registry"
Name of Kubernetes secret containing Docker config.json for registry authentication.Format: The secret should contain a .dockerconfigjson key with base64-encoded Docker config.Example:
kubectl create secret docker-registry buildkit-registry-creds \
  --docker-server=registry.company.com \
  --docker-username=user \
  --docker-password=pass

buildkit:
  dockerConfigSecret: "buildkit-registry-creds"
buildkit.registries
array
default:"[]"
Registry mirror and insecure registry configuration.Schema:
buildkit:
  registries:
    - hostname: "registry.company.com"
      http: false
      insecure: false
      mirrors:
        - "mirror1.company.com"
        - "mirror2.company.com"
    - hostname: "localhost:30000"
      http: true
      insecure: true
Fields:
  • hostname: Registry hostname
  • http: Use HTTP instead of HTTPS
  • insecure: Skip TLS verification
  • mirrors: Mirror registries for pull-through
Use Cases:
  • Configure insecure internal registries
  • Set up registry mirrors for faster pulls
  • Configure air-gapped registry access

buildkit.healthcheck.*

Health check configuration for BuildKit pods.
buildkit.healthcheck.enabled
boolean
default:"true"
Enable liveness and readiness probes for BuildKit.
buildkit.healthcheck.initialDelaySeconds
integer
default:"30"
Seconds to wait before first health check probe.Tuning: Increase if BuildKit takes longer to initialize.
buildkit.healthcheck.periodSeconds
integer
default:"10"
Seconds between health check probes.
buildkit.healthcheck.timeoutSeconds
integer
default:"5"
Health check probe timeout in seconds.
buildkit.healthcheck.successThreshold
integer
default:"1"
Consecutive successful probes required to mark pod healthy.
buildkit.healthcheck.failureThreshold
integer
default:"3"
Consecutive failed probes before restarting pod.

buildkit.resources.*

Resource limits and requests for BuildKit container.
buildkit.resources.limits.cpu
string
default:"4"
CPU limit for BuildKit pod.Performance Impact: CPU limits directly affect build performance. Higher limits = faster builds.Sizing Guidelines:
  • Standard builds: "4"
  • High-concurrency: "8" or higher
buildkit.resources.limits.memory
string
default:"8Gi"
Memory limit for BuildKit pod.Sizing Guidelines:
  • Standard builds: "8Gi"
  • Large/complex builds: "16Gi" or higher
buildkit.resources.requests.cpu
string
default:"250m"
Guaranteed CPU allocation for BuildKit pod.Tuning: Start conservative, BuildKit scales based on build activity.
buildkit.resources.requests.memory
string
default:"1Gi"
Guaranteed memory allocation for BuildKit pod.
buildkit.nodeSelector
object
default:"{}"
Node selector for BuildKit pod placement.Example:
buildkit:
  nodeSelector:
    node-role.kubernetes.io/worker: "true"
    workload-type: "build"