How does securely run docker:dind with privileged access?

I’m trying to understand our or anyone else is securely building docker images with Gitlab CI. Since docker:dind requires privileged access, how is stopping nefarious behavior?

Is it as simple as restricting the allowed_images to docker:latest and allowed_services to docker:dind in a gitlab runner’s config.toml which can really only be used to build images?

For example…

url = ""
token = TOKEN
executor = "docker"
  tls_verify = false
  image = "docker:latest"
  privileged = true
  disable_cache = false
  volumes = ["/cache"]
  allowed_images = ["docker:latest"]
  allowed_services = ["docker:dind"]
  Insecure = false
1 Like