Add instance setting to toggle enforcement of CI_JOB_TOKEN scope for all projects

Problem

In %18.0 we want to enforce the use of CI Job Token Scope for all projects by default. However, we want to give instance administrators the ability to disable (and re-enable) the enforcement if they need to.

Reason

While on Gitlab.com, being a multi-tenant system we will leave the setting on by default, some self-managed or Dedicated customers may want to disable this setting initially, if they have already other security measures in place.

Proposal

Introduce an instance-level setting that allows admins to toggle the job token enforcement for all projects:

• When on (default on %18.0): all projects will enforce their job token scope allowlist even if the scope is disabled at instance setting. If allowlist is empty, only job tokens from the current project are allowed.
• When off: only projects that have the scope enabled in the project settings will enforce the allowlist. Other projects will allow authentications from CI_JOB_TOKENs from other projects.

Administrators are taking an explicit action to turn off this security setting. Warning for the implications of disabling should also be clear on the UI.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.