Add ability to have an admission controller for docker images running in a docker executor

George Wilsonrequested to merge
wilsonge1/gitlab-runner:feature/admission-controller into main

What does this MR do?

This adds the ability to have an admission server that triggers before the docker executor pulls down an image for a job. This is inspired by how Kubernetes admission controllers function.

The intention of this was that this would be a local OPA instance on the runner, but this is left relatively flexible to avoid lockin (and why I didn't integrate the OPA golang drivers directly into the runner code).

Future scope

  • Add more security contextually useful information into the request to the admission server, such as the environment the job is running for which may influence the result.
  • Add an audit mode so that people can initially test the results without impacting the job completion.

Why was this MR needed?

There was no way to integrate with an external docker registry (such as harbor/trivy or artifactory/xray and check the security content of an image before pulling it onto the runner). Whilst a human should check a image's security content before adding it to a gitlab-ci.yml file, security postures evolve over time and something that was safe on merging may no longer be considered safe some period of time later.

What's the best way to test this MR?

Unclear :) Obviously the intention here is that this integrates with components outside of the gitlab ecosystem, so I'm not sure what you guys need from me to help get this tested!

What are the relevant issue numbers?

N/A

Merge request reports