Add overwriting of service account bearer token (!744) · Merge requests · GitLab.org / gitlab-runner

David Schile requested to merge bajacondor/gitlab-runner:bearer-token into master Nov 20, 2017

This is a general Merge Request template. Consider to choose a template from the list above if it will match your case more.

What does this MR do?

Allows users to specify a Kubernetes service account token in their job variables This token would then be used to create the build pod. This enhances the Kubernetes Executor so that it may launch build pods into other namespaces while maintaining isolation and security among namespaces.

Why was this MR needed?

In conjunction with specifying the namespace users are currently unable to launch build pods into other namespaces without the gitlab-runner running under a service account or user that has super-user permissions. This is unsafe and creates a untenable attack vector.

Are there points in the code the reviewer needs to double check?

Does this MR meet the acceptance criteria?

Documentation created/updated
Tests
- Added for this feature/bug
- All builds are passing
Branch has no merge conflicts with master (if you do - rebase it please)

What are the relevant issue numbers?

Closes #2881 (closed)

Edited Dec 06, 2017 by Alessio Caiazza

Add overwriting of service account bearer token

What does this MR do?

Why was this MR needed?

Are there points in the code the reviewer needs to double check?

Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Merge request reports