Backend: Removing user access to Shared Runners UI
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
In order to block a user from using Shared Runners an account level block needs to be placed. In the event that a user is not intentionally abusive with our Shared Runners it would be great to only remove access to our Shared Runners and not the entire account.
Intended users
Infra, Production, GitLab admins
Further details
User inadvertently causes behaviour that negatively impacts our Runners/Availability
Proposal
Provide the ability to block a users access to the Shared Runners
- Available via the Users API to add it as a mitigation option in Scrubber (our mitigation tool)
- UI based method - documented under design management section.
Backend
We currently have another similar feature that gives a pipeline/jobs access to shared runners only if the namespace has available CI minutes. Otherwise we fail a pipeline immediately and we filter out queue jobs from being picked by shared runners.
An idea could be to build beside this feature where rather than the condition be CI minutes must be available we add AND shared runners accessible for user
Permissions and Security
Requires a GitLab Admin Account to action this
Testing
Risk:
- This would lower the impact to a user as they would still have access to their projects/content if we need to mitigate against inadvertent excessive CI Usage.
What does success look like, and how can we measure that?
Blocking access to CI without blocking access to anything else on the account