Resolve "Improve isolation between GitLab and Runners by moving Runners to their own namespace"
Big Bang Changes
- Move gitlab-runner to a separate namespace to reduce blast radius of a compromised runner.
- Added a hidden dig key
.Values.addons.gitlabRunner.autoRegister.enabled
defaulted to true in the gitlab-runner template. Can be disabled with BB values. - Default Kyverno to enabled so that it can support the needs of applications for copying secrets and configs
- Started a document list for the applications that are using Kyverno.
Package Changes
Added a conditional Kyverno ClusterPolicy to the gitlab-runner package. The policy supports auto registration when the gitlab runner is deployed in a separate namespace from gitlab. An autoRegister value is passed down to the gitlab-runner package chart. The gitlab-runner package helm chart is defaulted to false. The BB chart defaults to true. By default gitlab-runner does not provide networkPolicy for runner job egress. The runner job egress NPs must be created by gitlabRunner values override.
Package MR
https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner/-/merge_requests/69
big-bang/product/packages/gitlab-runner!79 (merged)
For Issue
Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/1300
Related big-bang/product/packages/gitlab-runner#55 (closed)