Skip to content

Allow Container Expiration Policy to run tag cleanup

Steve Abrams requested to merge 15398-admin-user-for-policies into master

What does this MR do?

In testing the Container Expiration Policy feature on production, a bug was discovered where a project that belongs to a group or subgroup does not run the policy successfully, only a project directly under a user namespace will succeed.

This MR updates the container expiration policy system to:

  1. Create a new worker to only be used by container_expiration_policies that does not require a user, and cannot be executed by anything outside of the container_expiration_policy_service
  2. Do not display the expiration policy options in the project CI/CD settings page unless the user has :destroy_container_image abilities.
  3. Update the docs to fix the regex typo in describing valid name_regex values.

A follow up has been created to eventually keep track of which users are updating the container_expiration_policies, and use their user_id to run the policies in the future: #204781

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related #15398 (closed)

Edited by Steve Abrams

Merge request reports