I would like to ask both the gitlab devs and the community what are the best security practices of using the built-in registry.
- It wasn’t apparent to me for a long time that the registry permissions are quite liberal: any developer may push to registry, including pushing from outside of CI, leaving only a timestamp but no trace of user identity.
- It seems natural to use the built-in registry to built the images that are used in CI.
- The combination of 1. and 2. effectively means that the developer users can elevate their privileges by getting access to the protected variables or effectively overwriting release artifacts (if I were to use the registry as a source for deploying).
The above is a known limitation #878, however from what I can see, it is not scheduled, and even if it was, it would only apply to the enterprise edition.
I’m developing open source exam grading software, where many developer-level users take exams graded by this software, and therefore the permission separation is crucial even though I trust the users. What would be the best practice here? Abandoning gitlab registry and using the docker hub seems like a possible, but not preferred solution.