Securely pin k8s namespace to Gitlab Runners


we are evaluating Gitlab for the use in our company. We are using a k8s cluster, where each development team gets its own namespace. Each team is not allowed to access resources of a different team.

For the Gitlab Runners we have now two options (if there are others, please let me know :wink: ):

  1. Each team gets its own runner. We have about 400 teams… this ends in a massive maintenance and configuration effort.
  2. We create a runners namespace where the runners are. With the namespace_override and sa_override settings, we are able to configure a gitlab-group, to use a certain namespace in the cluster. so far, so good.
    Two important questions remains: Is it possible to securely pin a group to a namespace, what means, that the team should not be able to read or alter the override Variables?
    Is it possible to prevent the runner to be used inside the namespace itself is in?

I hope this is somehow clear and feel free to ask if something needs to be more specified and like I’m said, if there are other ideas, please let me know.

best regards,