Admin ability to restrict certain runner executor types
Proposal
Add a method for self-managed admins to globally restrict certain runner type registrations. For example the customer in question wants the ability to globally restrict all runners that have a shell executor from being used. This could be managed either at the registration level or after registration. Regardless this would ideally be managed from the Admin UI.
This aims to provide a solution to the issue raised by the customer. Shell executors have a security warning in our docs to let user's know that they are inherently more privileged on the runner host than other executor types and due to that have some security risk involved:
Generally it’s unsafe to run jobs with shell executors. The jobs are run with the user’s permissions (gitlab-runner) and can “steal” code from other projects that are run on this server. Depending on your configuration, the job could execute arbitrary commands on the server as a highly privileged user. Use it only for running builds from users you trust on a server you trust and own.
Since many organizations do not restrict the ability to register runners, this leaves a situation where an inside threat actor could abuse the shell runner to gather privileged information shared on that runner.
We currently don't have a supported method for identifying and restricting what types of executors a runner is registered with. Tags could offer a solution but only in a limited capacity, which would also require custom scripting from the customer to achieve something similar to the above described solution.