Duplicate: Set allowed IP allow address for individual Project Access Tokens

Proposal

All applications in our Kubernetes clusters are managed via ArgoCD. Jobs executed on our private GitLab runners use read-write Project Access Tokens to push the latest changes to our GitOps repositories. Those changes are in turn read using read-only Project Access Tokens by ArgoCD.

Runner --(write)--> GitOps Repo --(read)--> ArgoCD

For the read-only operations, we are comfortable with the current setup from a security perspective. We do not store sensitive information in our GitOps repositories.

On the contrary, the write tokens are a worry. We have done our best to secure these tokens: we store the read-write (RW) Project Access Token in AWS Secrets Manager, the permission to read these tokens is limited to only the workloads that need it, and the token is read-only when necessary and removed when no longer needed. However, the token's existence is still a security risk.

If this token is ever compromised it gives an attacker broad control over the Kubernetes cluster.

The idea is to limit the use of these read-write access tokens to only requests from our GitLab runners' external IP.

IP-based allowlist at the group level is too broad as currently implemented since IP addresses of the GitLab servers are dynamic due to https://docs.gitlab.com/ee/user/gitlab_com/#ip-range, but those ranges appear to only apply to requests originating in GitLab.

Proposal: make IP allow-listing tied to a specific Project Access Token.