Allow Container Expiration Policy to run tag cleanup
What does this MR do?
In testing the Container Expiration Policy feature on production, a bug was discovered where a project that belongs to a group or subgroup does not run the policy successfully, only a project directly under a user namespace will succeed.
This MR updates the container expiration policy system to:
- Create a new worker to only be used by
container_expiration_policies
that does not require a user, and cannot be executed by anything outside of thecontainer_expiration_policy_service
- Do not display the expiration policy options in the project CI/CD settings page unless the user has
:destroy_container_image
abilities. - Update the docs to fix the regex typo in describing valid
name_regex
values.
A follow up has been created to eventually keep track of which users are updating the container_expiration_policies, and use their user_id to run the policies in the future: #204781
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides - [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related #15398 (closed)
Edited by Steve Abrams