Limit shared runners to a set of trusted users on GitLab CE?

Is it possible to limit shared runners to a set of trusted users?

We’re running GitLab CE 14.2.3, and 14.2.0 runners.

I’ve gone over this in detail on our issue tracker:

https://phabricator.wikimedia.org/T292094

I’ll quote that task description here:

We opened the GitLab instance to the world earlier today (T288162). On thinking about it, it doesn’t seem like limiting CI to images from the Wikimedia registry (T291978) is going to be sufficient to prevent abuse here.

For the moment, I have the shared runners paused.

Background on our setup

  • We intend for everyone with a Wikimedia developer account to be able to sign up and create new projects under their user namespaces. Dev accounts can be freely created by anyone, pretty much.
  • We’d like for known-trusted individual users to be able to make use of shared runners for CI on projects under their user namespaces.
  • We’re using groups under people/ to contain individual users, those groups are then added to project groups.
  • Project groups are currently in top-level namespaces like /releng or /security.

Possible solutions

I could use some help thinking through this one. The options I know about so far:

  • Figure out how to get the “User is validated and can use free CI minutes on shared runners.” checkbox to do something meaningful. This might be close to ideal, but so far I haven’t been able to find much about it outside of the GitLab SaaS platform.
  • Mark all new users as “External” and have a process for unchecking the box. In some ways this may be simplest, but don’t really like it - it’s just a bad user experience, as you can’t create new projects even under your own user when marked external, and last I tried this it wasn’t at all obvious why.
    • Worth noting that you can define a regex checked against e-mail addresses for exceptions to this setting, so people with certain domains could be exempt, but that really doesn’t do much for everyone outside of a handful of orgs.
  • Limit runners to specific groups instead of providing instance-wide shared runners.
    • Doesn’t really solve the problem of offering shared runners for personal-namespace projects.
  • Figure out if running pipelines can be made available only to members of certain people/* groups (as opposed to runners just being available to projects under specific groups), and define a people/trusted-contributors.
  • Do something with pipeline minutes quota
    • There’s both a global setting and per-group settings
    • Redirecting...
  • Pre-commit hooks may be another option here - seems like KDE is doing something along those lines.

Docs

Any input, here or on the Wikimedia Phabricator task, would be welcome. Thanks!