Skip to content

Add support for isolating jobs to individual namespaces

What does this MR do?

This MR provides a new configuration option namespace_per_job, which, if enabled, isolates each job in its own namespace.

I've marked this MR as a Draft, as it's still lacking tests (see below) and would also require changes to the ClusterRoleBinding for the ServiceAccount used by the runner.

Why was this MR needed?

We run a Kubernetes-Cluster specifically for use with GitLab Runner. This cluster provides shared runners for all users of our instance, which implies that not every job can be trusted. As such, we want to isolate jobs as much as possible. While this is only a logical isolation, it is still an improvement to the current situation where all jobs are thrown into the same namespace, at least from our point of view.

Additionally, this would allow for situations where users could safely spawn additional resources using the default ServiceAccount (given it has the necessary privileges). Something that we aren't doing yet, but are considering to use given the limitations of services: in combination with the Kubernetes executor.

What's the best way to test this MR?

Fire up a cluster (using minikube or any other method), deploy GitLab Runner and enable the respective option. Newly scheduled jobs will automatically end up in their own namespace.

As for automated tests, I have to admit that the documentation on how to set up a development environment for GitLab Runner is quite outdated (at least that's how it feels) and is in dire need of updates. I still wasn't able to successfully run all tests with a clean main, and getting Kubernetes integration tests to work is far more involved than described in aforementioned docs. As such, I honestly gave up trying to get a fully working test environment up and running and, as a result, also didn't get to writing tests yet.

However, we've been running this change for over half a year now, using custom-built images, and haven't noticed anything unusual.

What are the relevant issue numbers?

As far as I can see, there's no issue regarding such a feature.

Merge request reports

Loading