Support allowed images for privileged jobs and services (!4089) · Merge requests · GitLab.org / gitlab-runner

Stéphane Talbot requested to merge stalb/gitlab-runner:feature/privilege-lists into main May 15, 2023

What does this MR do?

This MR add two optional parameters in gitlab-runner configuration: allowed_privileged_images and allowed_privileged_services.

The two parameters define two lists of images, one for jobs end one for services, that will be able to runs as privileged containers.

Allowed images for services and jobs are still defined in the usual properties (allowed_images and allowed_services). However, if privileged is enabled, only the images which are also listed in the new new optional parameters will run as privileged containers. The others will run as normal (non privileged containers).

The two new parameters are optional and if they are not defined everything should run as usual. So existing pipelines should run without any modification.

Why was this MR needed?

As explained in !2653 (comment 1096030270) and !2653 (comment 1193308236), wisely used it could help some users to mitigate the risks of running privileged gitlab runners.

What are the relevant issue numbers?

Closes #27368 (closed)

Closes #238 (closed)

Edited May 27, 2023 by Arran Walker

Support allowed images for privileged jobs and services

What does this MR do?

Why was this MR needed?

What are the relevant issue numbers?

Merge request reports