use pull always policy for secure operations
The runner configuration (not the runner itself) needs to set pull policy to pull always to ensure users are not able to access images they do not have permissions to. Further explanation at https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy.
Edited by Benjamin Bodenmiller