Skip to content

Add allowed images restriction to Kubernetes executor

Description

For Runner Docker there is the possibility to restrict the allowed images as it follows:

allowed_images = [ "gitlab-registry.example.com/example/gitlabci-docker-builder:*" ]
allowed_services = [ "docker:*dind" ]

The main problem is that the rest of the runners do not have this options. For instance, the Kubernetes executor does not allow this configuration. An example of use: Using any image while docker build could allow the container to access the host node and this should be limited with an specific allowed image, refusing any other. It could be done by limiting it to just a default image, a list of them or a pattern.

Proposal

Add the same configuration for allowed images that was used in Docker to the Kubernetes executor configuration.

Links / references

https://docs.gitlab.com/runner/configuration/advanced-configuration.html#restrict-allowed_images-to-private-registry https://docs.gitlab.com/runner/executors/kubernetes.html

Overview

Anyone could be able to restrict allowed images as with Docker.

Edited by Daniel Juarez