Design: Lock down write access to Secure's container registry
Proposal
The Secure templates pull analyzer images from a container registry to which all GitLab team members have write access. It's safe to assume that these templates are executed in many CI pipelines on gitlab.com and self-hosted installations. Consequently, if an attacker would manage to manipulate these images, the CI pipelines of many projects would be compromised. To make such a scenario less likely we should lock down write access to Secure's container registry to a small group of team members that actually need write access.
Due to how permission inheritance for subgroups works in GitLab, I think the best option for locking down write access is to move the container registry to a group outside of gitlab-org
.
This issue is a spin-off from a discussion in https://gitlab.com/gitlab-org/gitlab/-/issues/290103#note_458948651.
Details
- Each Docker image currently published under https://gitlab.com/gitlab-org/security-products/ is to be published under the new location.
- All references to the images are to be updated with the new location (including but not limited to CI templates and documentation).
- Setup monitoring for use of the new and old locations.
- Announce deprecation of old locations.
- Stop publishing images to old locations.
Responsiblities
Each group in the Sec Section is responsible for:
- Managing the deprecation and removal schedule for their artifacts, and creating issues for this purpose.
- Creating and configuring the projects under the new location.
- Configuring their builds to push release artifacts to the new location.
- Removing or keeping images in old locations according to their own support agreements.
Group and project settings
- New group: https://gitlab.com/security-products/
-
Project path:
https://gitlab.com/security-products/<PROJECT>
, wherePROJECT
maps to a given feature category (example). It's been decided to group analyzers per feature category as it's easier to manage and provide an acceptable level of security.- Old registry address:
registry.gitlab.com/gitlab-org/security-products/analyzers/<PROJECT>/<IMAGE_NAME>:[TAG]
- New registry address:
registry.gitlab.com/security-products/<PROJECT>/<IMAGE_NAME>:[TAG]
- Old registry address:
-
Permissions
-
Top-level group
- Maintainer:
@gitlab-org/secure/managers
,@gitlab-org/protect/managers
- Maintainer:
-
Project level
- A deploy token with
read_registry
andwrite_registry
access is used to push images. - The token will be entered by its creator as a secret variable for protected branches on the originating project (i.e. the project under https://gitlab.com/gitlab-org/security-products/)
- A deploy token with
-
Top-level group
-
Project Settings
- Visibility, project features, permissions
- Public; uncheck "Users can request access"
- Disable: Issues, Merge requests, Forks, Git LFS, Packages, CI/CD, Requirements, Wiki, Snippets, Pages, Operations.
- Service Desk: disable
- Visibility, project features, permissions
Other
It would be nice to have a script that uses the API to create projects using the required settings above.