Gitlab.com CI 私人项目
Gitlab.com CI for Private Projects
总结:根据一份关于私人项目Gitlab.comCI的文档,我们有一个问题
注意:这是参考Gitlab.com(并且不是自托管的gitlab)
关注:我们遇到了这个link,https://docs.gitlab.com/ee/ci/runners/#be-careful-with-sensitive-information
我的解读:不建议在Default Gitlab中构建私有项目CI Runners
- 解释有效吗?关注到什么程度?
- 您认为最好的做法是什么?
问题:
- 在私有项目中为 CI 使用 Gitlab.com Shared Runners 可以吗?
我们的解决方案:如果且仅当我们需要替代方案(为此成功实施了 POC)
我们创建了一个 EC2 实例(私有盒子)
安装Gitlab Runner到盒子
已将 EC2 实例连接到 Gitlab
从项目设置中禁用共享运行器
在CI运行上成功发送请求到我们的EC2实例
短:
我的解释是错误的。 Gitlab.com 是完全安全的。引用的文档不适用于此用例。
读取来自 Gitlab.com 的回复:https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25468#note_333854812
回复引用:
The Shared Runners on GitLab.com are isolated VM's that are provisioned for each CI job and removed after job execution. This is documented here.
The documentation that you reference is actually referring to the situation where as a user you are now setting up and managing your own Runners. This is actually what you have done in the Our Solution section. So the security concern is that on your EC2 instance, if the Runner is configured to use the Shell executor for example, then any user in your organization that can execute CI jobs on the Runner on that EC2 instance is now able to execute a script which has full access to the filesystem on the EC2 instance.
So this is why on GitLab.com we always create new isolated VM's for each job.
总结:根据一份关于私人项目Gitlab.comCI的文档,我们有一个问题
注意:这是参考Gitlab.com(并且不是自托管的gitlab)
关注:我们遇到了这个link,https://docs.gitlab.com/ee/ci/runners/#be-careful-with-sensitive-information
我的解读:不建议在Default Gitlab中构建私有项目CI Runners
- 解释有效吗?关注到什么程度?
- 您认为最好的做法是什么?
问题:
- 在私有项目中为 CI 使用 Gitlab.com Shared Runners 可以吗?
我们的解决方案:如果且仅当我们需要替代方案(为此成功实施了 POC)
我们创建了一个 EC2 实例(私有盒子)
安装Gitlab Runner到盒子
已将 EC2 实例连接到 Gitlab
从项目设置中禁用共享运行器
在CI运行上成功发送请求到我们的EC2实例
短: 我的解释是错误的。 Gitlab.com 是完全安全的。引用的文档不适用于此用例。
读取来自 Gitlab.com 的回复:https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25468#note_333854812
回复引用:
The Shared Runners on GitLab.com are isolated VM's that are provisioned for each CI job and removed after job execution. This is documented here. The documentation that you reference is actually referring to the situation where as a user you are now setting up and managing your own Runners. This is actually what you have done in the Our Solution section. So the security concern is that on your EC2 instance, if the Runner is configured to use the Shell executor for example, then any user in your organization that can execute CI jobs on the Runner on that EC2 instance is now able to execute a script which has full access to the filesystem on the EC2 instance. So this is why on GitLab.com we always create new isolated VM's for each job.