Improve documentation on security implications of the runner as a remote code execution environment
Overview
It has come to our attention that some users and customers may not be aware of the documented security best practices for hosting and using GitLab Runner. The intent of this issue is to improve the content so that is easy to find and clear to users so that they are taking those best practices into consideration.
Proposal.
-
Add some callout on the install runner docs page that states explicitly that the runner is a remote code execution environment. -
Update as needed the security best practices page https://docs.gitlab.com/runner/security/index.html -
Review our documentation to make sure the risks of running privileged docker containers is properly explained and detail what can be done to mitigate the risks
Edited by Darren Eastman