Control GitLab CI/CD networking from GitLab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

There's currently no way to control egress and ingress on GitLab Runner other than doing it on the host where the Runner is running.
This feature addresses the critical security need to restrict outbound connections during CI/CD pipeline execution, preventing potential data exfiltration and securing the build environment.

Proposal

This feature will enable project/group Maintainers and Owners to define and enforce network security policies (like in Kubernetes) for GitLab Runners.

A solution to this would be new job/global CI/CD keywords to control inbound and outbound connections.

Core Functionality

• Network Policy Definition: Create, edit, and manage network policies at project or group levels through the GitLab UI
• Granular Access Control: Define allowed/denied hostnames, IP ranges, and ports for outbound connections
• Policy Inheritance: Cascade policies from group level to projects with override capabilities
• Violation Handling: Configure actions for network policy violations (abort job, mark as failed, log only)
• Audit Logging: Comprehensive logging of network activity and policy violations
• Metrics & Reporting: Dashboard to visualize network activity patterns and violation attempts

Examples Use Cases

• Dependency Management: Allow connections only to approved artifact repositories
• Secret Protection: Block outbound connections to unknown domains to prevent credential theft
• Compliance: Enforce regulatory requirements by limiting external network access
• Environment Isolation: Create secure, isolated build environments for sensitive projects