use pull always policy for secure operations

The runner configuration (not the runner itself) needs to set pull policy to pull always to ensure users are not able to access images they do not have permissions to. Further explanation at https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy.

changed the description

added gitlabRunner teamXForce labels

added community-contribution label

@bbodenmiller For reference, I think you are referring to adding pull_policy to the runner config by default. Is that correct?

@michaelmcleroy yes setting pull_policy = "always" right above helper_image = ... would do it.

The always pull policy should be used if your runner is publicly available and configured as a shared runner in your GitLab instance

I think this makes sense to do given this statement in the Gitlab docs. The default runner deployed via BB is deployed this way as an instance wide shared runner.

@bbodenmiller this issue has been inactive for 30 days and is being labelled as stale. If this issue is still required please take action by removing the stale label and commenting with an update, status, or justification. If this issue is not required please close it or label it as delete-me. If no action is taken this issue will be auto closed in 60 days.

Still awaiting fix. I do not have permissions to update labels.

added stale label

removed stale label

@bbodenmiller this issue has been inactive for 30 days and is being labelled as stale. If this issue is still required please take action by removing the stale label and commenting with an update, status, or justification. If this issue is not required please close it or label it as delete-me. If no action is taken this issue will be auto closed in 60 days.

added stale label

removed stale label

added no-auto-close label

changed iteration to Big Bang Iterations Aug 8, 2023 - Aug 21, 2023

set weight to 2

removed iteration Big Bang Iterations Aug 8, 2023 - Aug 21, 2023

changed iteration to Big Bang Iterations Aug 22, 2023 - Sep 4, 2023

added kindfeature priority6 labels

assigned to @andrewshoell

added statusdoing label

created branch 44-use-pull-always-policy-for-secure-operations to address this issue

mentioned in merge request !91 (merged)

removed statusdoing label

added statusreview label

mentioned in merge request big-bang/bigbang!3041 (merged)

closed with merge request big-bang/bigbang!3041 (merged)

mentioned in commit big-bang/bigbang@a0e22378

changed milestone to %2.10.0