Allow instance level runners to be restricted to certain plan types - MVC

Problem to solve

On GitLab.com, when malicious users abuse or overwhelm the system it can have denial-of-service impacts on paying customers (malicous or over-zealous usage appears to almost always come from the free tier). And while our teams have some tools to combat this as it happens, it for the most part is a reaction and there's often an impact to legitimate use.

Currently we have three types of runners (instance runners, group runners, specific runners), and a single CI build queue. All new jobs from pipelines get added to a single queue, and then when runners poll for a job to execute they're assigned a job if it matches their criteria such as specificity (ie: a gitlab-org group runner won't pick up a job that's from the gitlab-com group), tags (ie: a job tagged with docker will only be picked up by a runner having a matching tag).

This is likely a GitLab.com specific problem to solve, however there are some ways it could be iterated on to be of interest to self-hosted users.

Intended users

• Sidney (Systems Administrator)
• Alex (Security Operations Engineer)

User experience goal

Paying users should be protected from the impacts of malicious users or insulated from the impacts of the system being overwhelmed.

Proposal (original)

At a high-level, I propose adding an option in the admin page for instance runners, that allows instance admin's to be able to specify that these runners can only be assigned jobs that are associated with specific plan types. Then, when/if this feature is used, when a runner is requesting a job only jobs associated with projects, which are associated with namespaces, which are associated with the specific plan types are considered.

A mock-up of the UI might look like this:

⚠ Mock-up made by a Backend Engineering Manager ⚠

Further details

If done this way, the runners themselves would have no knowledge of being restricted to specific plans. So no change needs to happen on the runner side of the interaction.

On the infrastructure side, we could then not only shard these runners by plan type but move those runners into plan-specific GCP projects. This would even further insulate paying tiers from abuse by providing them with their own GCP quotas to use.

This could be further iterated on to allow restricting the runners to only pick up jobs triggered by specific users or users of specific groups - which would solve the problem being asked for in #290997 (closed)

As we introduce more "premium" type runners (macOS, Windows, GPU enabled instances, higher capacity instances) those could then be restricted to paying tiers or specific paying tiers.

Implementation plan

Note The solution implemented for this MVC did not include a UI change to the Admin Area > Runners view.

• Add the ability to specify a list of plans that a specific instance runner will support.
• Add a mechanism so that only projects belonging to the namespace with the matching play type will be able to execute jobs on that specific instance runner.