[infrastructure] - gitlab.com: Isolate Pages Pods for JS V8 experimental feature
Summary
The V8 Experiment (!848 (closed)) is currently under development by the Jamstack Incubation SEG - @janis
This would allow participating users (aka domains) to execute arbitrary Javascript within Pages instances. While the Pages instance will take care to only allow the functionality to participating users/domains (probably by exposing and querying a project-level FF state on the Rails API), this may still have impact on non-participating users.
The most relevant being:
- spectre / meltdown vulnerability: Can JS exploit spectre to obtain access to other domain's pages documents or other sensitive data? This would be OK if we can get new users to agree to the risk, but we should not expose existing users to a new risk they didn't sign up for.
- noisy neighbours: we'll try to limit this effect by adding CPU usage / execution time controls, but until we actually run this in the wild it's hard to estimate the impact. Also: there will be bugs.
Ideally we'd be able to isolate closed beta users on a specific set of pods with the FF enabled and configure the loadbalancer to point participating domains to that pod.