"Limit sign in from multiple IP addresses" setting not documented, and not clear that runner IPs will be counted against user IP addresses
Problem to solve
There does not appear to be any documentation about the IP address restrictions
settings under Spam and Anti-bot Protection:
This is problematic because it is not intuitive that not only does the user browser or API client IP address count towards their unique IPs, but also the IPs of any runners that are authenticating as that user while executing CI/CD jobs (IP addresses from other components such as container registry servers may also be included when they authenticate as a user but this has not been confirmed).
The can lead an admin configuring a setting of say 10 IPs per hour assuming this applies to their UI activity only to have the user's access blocked if they run several CI/CD jobs on different runners during that time (this occurred in a recent GitLab Dedicated support ticket (ZD internal link).
I'm happy to put forward a docs MR for review but I wanted to first confirm that the inclusion of runner IP addresses is expected behavior and should be documented as such, as opposed to being unexpected behavior that should be addressed in the code (e.g. by excluding IP addresses associated with active runners).