# Deploying Sourcegraph executors on Kubernetes (docker-in-docker)

<Callout type="warning">
	Docker-in-Docker Kubernetes executors are in beta and are not recommended for production use.
	This deployment mode requires privileged pod access and does not use Firecracker isolation.
	For production workloads, deploy using
	[Terraform](/self-hosted/executors/deploy-executors-terraform) or the
	[Linux binary](/self-hosted/executors/deploy-executors-binary) instead.
</Callout>

[Kubernetes manifests](https://github.com/sourcegraph/deploy-sourcegraph-k8s) are provided to deploy Sourcegraph Executors on a running Kubernetes cluster. If you are deploying Sourcegraph with helm, charts are available [here](https://github.com/sourcegraph/deploy-sourcegraph-helm).

## Deployment

Executors on kubernetes machines require privileged access to a container runtime daemon in order to operate correctly. In order to ensure maximum capability across Kubernetes versions and container runtimes, a [Docker in Docker](https://www.docker.com/blog/docker-can-now-run-within-docker/) sidecar is deployed with each executor pod to avoid accessing the host container runtime directly.

### Step-by-step Guide

Ensure you have the following tools installed:

-   [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)
-   [Helm](https://helm.sh/) if you're installing Sourcegraph with `helm`.

#### Deployment via Kustomize

Please refer to the [Sourcegraph Kustomize docs](/self-hosted/deploy/kubernetes/kustomize) for the latest instructions.

To include Executors dind, see [configure Sourcegraph with Kustomize](/self-hosted/deploy/kubernetes/configure) on how to specify the component.

#### Deployment via Helm

Please refer to the [Sourcegraph Helm docs](/self-hosted/deploy/kubernetes#quickstart) for the latest instructions.

To specifically deploy Executors,

1. Create an overrides file, `override.yaml`, with any other customizations you may require.

    1. See [details on configurations](/self-hosted/deploy/kubernetes#configuration)
    2. See [here](/self-hosted/executors/executors-config) for a full list of executor environment variables

2. Run the following command:
    ```bash
    helm upgrade --install --values ./override.yaml --version <your Sourcegraph Version> sg-executor sourcegraph/sourcegraph-executor-dind
    ```
3. Confirm executors are working by checking the _Executors_ page under **Site admin > Executors > Instances** .

## Note

Executors deployed in kubernetes do not use [Firecracker](/admin/executors/#how-it-works), meaning they require [privileged access](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to the docker daemon running in a sidecar alongside the executor pod.

If you have security concerns, consider deploying via [terraform](/self-hosted/executors/deploy-executors-terraform) or [installing the binary](/self-hosted/executors/deploy-executors-binary) directly.