I’m trying to understand our gitlab.com or anyone else is securely building docker images with Gitlab CI. Since docker:dind requires privileged access, how is gitlab.com stopping nefarious behavior?
Is it as simple as restricting the allowed_images
to docker:latest
and allowed_services
to docker:dind
in a gitlab runner’s config.toml which can really only be used to build images?
For example…
[[runners]]
url = "https://gitlab.com/ci"
token = TOKEN
executor = "docker"
[runners.docker]
tls_verify = false
image = "docker:latest"
privileged = true
disable_cache = false
volumes = ["/cache"]
allowed_images = ["docker:latest"]
allowed_services = ["docker:dind"]
[runners.cache]
Insecure = false