UNCLASSIFIED - NO CUI

Skip to content

Resolve "Improve isolation between GitLab and Runners by moving Runners to their own namespace"

kevin.wilder requested to merge 1300-gitlab-runner-secret-sync into release-2.x

Big Bang Changes

  • Move gitlab-runner to a separate namespace to reduce blast radius of a compromised runner.
  • Added a hidden dig key .Values.addons.gitlabRunner.autoRegister.enabled defaulted to true in the gitlab-runner template. Can be disabled with BB values.
  • Default Kyverno to enabled so that it can support the needs of applications for copying secrets and configs
  • Started a document list for the applications that are using Kyverno.

Package Changes

Added a conditional Kyverno ClusterPolicy to the gitlab-runner package. The policy supports auto registration when the gitlab runner is deployed in a separate namespace from gitlab. An autoRegister value is passed down to the gitlab-runner package chart. The gitlab-runner package helm chart is defaulted to false. The BB chart defaults to true. By default gitlab-runner does not provide networkPolicy for runner job egress. The runner job egress NPs must be created by gitlabRunner values override.

Package MR

https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab-runner/-/merge_requests/69
big-bang/product/packages/gitlab-runner!79 (merged)

For Issue

Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/1300
Related big-bang/product/packages/gitlab-runner#55 (closed)

Edited by kevin.wilder

Merge request reports