UNCLASSIFIED - NO CUI

Skip to content

Draft: Move gitlab-runner to its own namespace

kevin.wilder requested to merge 1300-gitlab-runner-secret-sync into master

Big Bang Changes

  • Move gitlab-runner to a separate namespace to reduce blast radius of a compromised runner.
  • Added a hidden dig key .Values.addons.gitlabRunner.autoRegister.enabled defaulted to true in the gitlab-runner template. Can be disabled with BB values.
  • Default Kyverno to enabled so that it can support the needs of applications for copying secrets and configs
  • Started a document list for the applications that are using Kyverno.

Package Changes

Added a conditional Kyverno ClusterPolicy to the gitlab-runner package. The policy supports auto registration when the gitlab runner is deployed in a separate namespace from gitlab. An autoRegister value is passed down to the gitlab-runner package chart. The chart is defaulted to false. The BB chart defaults to true.

Package MR

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner/-/merge_requests/69

For Issue

Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/1300

Edited by kevin.wilder

Merge request reports