How does gitlab.com securely run docker:dind with privileged access?

I’m trying to understand our gitlab.com or anyone else is securely building docker images with Gitlab CI. Since docker:dind requires privileged access, how is gitlab.com stopping nefarious behavior?

Is it as simple as restricting the allowed_images to docker:latest and allowed_services to docker:dind in a gitlab runner’s config.toml which can really only be used to build images?

For example…

[[runners]]
url = "https://gitlab.com/ci"
token = TOKEN
executor = "docker"
[runners.docker]
  tls_verify = false
  image = "docker:latest"
  privileged = true
  disable_cache = false
  volumes = ["/cache"]
  allowed_images = ["docker:latest"]
  allowed_services = ["docker:dind"]
[runners.cache]
  Insecure = false
1 Like