Enable ci config for autodevops to run on GDK cluster with enabled Binary Authorization
Problem to solve
If we enable Bin Auth on GDK cluster with gitlab-runner, gitlab-runner won't be able to run images because they aren't whitelisted.
This is not blocking PoC for Bin Auth, since we can simply run runner outside of k8s cluster used for deployment.
Proposed solution
To make it work we need to:
- Show to the user how to alter bin auth policy (we might need to modify policy through API for user)
- Use full URL for docker images (add
docker.io
) for images/services used in Auto DevOps
Policy
admissionWhitelistPatterns:
- namePattern: registry.gitlab.com/gitlab-org/security-products/*
- namePattern: docker.io/alpine:latest
- namePattern: docker.io/docker:stable-git
- namePattern: docker.io/docker:stable-dind
- namePattern: docker.io/postgres:latest
- namePattern: docker.io/gliderlabs/herokuish:latest
- namePattern: docker.io/docker:stable
(this list might be not complete)
Changes in Auto DevOps template
- add
docker.io
to allimage:
- add
docker.io
to allservices:
Outdated MR trying to do this: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9620/diffs (THIS SHOULD BE IMPLEMENTED IN CE)
Edited by Vladimir Shushlin