GitLab Runner Kubernetes Executor exposes CI/CD variables in pod manifests

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

We want to report this behaviour of the GitLab Runner Executor as we feel that the way GitLab CI/CD Variables are handled is fundamentally flawed.

Problem Statement

GitLab CI/CD Variables offer an intuitive way of hiding sensitive content (by using the masking function), making it suitable to use with credentials. However, the Runner Kubernetes Executor treats those variables NOT as secrets but as normal environment variables and exposes them in the pod manifest.

Key Concerns

  • Secrets exposure in Pod Manifests: Even if using a 3rd party tool (like Datadog) and exposing secrets to the GitLab Runner Job, credentials still need to be set as variables - and those (securely retrieved) credentials get exposed in the Pod Manifest
  • Misleading security implications: GitLab implies that masked CI/CD variables are stored securely, but they are exposed without clearly stating this behaviour
  • Default exposure: As GitLab has no way of knowing what the customer is putting inside environment variables, exposing everything by default is problematic

Expected Behavior

  • Secrets should always be injected into the pod using Kubernetes native secrets mounts or CSI secret storage
  • Credentials should never be written somewhere in plain text
  • Users are encouraged to store secrets in GitLab CI/CD variables as they can hide them, so GitLab should handle those confidential variables accordingly

Proposal

If implementing proper secret handling is not possible due to technical difficulties, at minimum:

  1. Add a clear warning/hint when users create GitLab CI/CD variables, informing them about this exposure behavior
  2. Allow users to make an informed decision about whether to store credentials within GitLab

Current Behavior

  1. Users store secrets in GitLab CI/CD variables (encouraged by the masking feature)
  2. Runner Kubernetes Executor treats those variables as normal environment variables
  3. Variables are exposed in plain text in the pod manifest

Internal ZD

Edited by Julius Kvedaras