Use Kubernetes Secrets for some environment variables (not implemented)
Status Update 2023-01-31
After in depth analysis, we have found that the boring solution is to not implement the kubernetes secret object but instead revert MR !3607 (merged). Reverting MR !3607 (merged) means that we will no longer set sensible variables at the build container level in the job pod.
We will also update the k8s executor documentation to highlight which variables are accessible (or not) on the container level (job Pod).
In addition, since %15.8 (with the merge of !3751 (merged)), we are no longer using the configMaps to store the job script.
This approach is simpler to implement and less risky in terms of k8s executor implementation
Problem
GitLab CI variables are visible to anyone with access to run kubectl
commands on the Kuberbetes cluster while a Runner worker pod is active.
Proposal
Switch to Kubernetes Secrets to store environments variables that store confidential data. With this feature, envrionment variables that store confidential will not be exposed on a Runner Pod.