I have created a Docker runner that is binding the Docker socket /var/run/docker.sock into the container as described in 1:
sudo gitlab-runner register -n \
--url https://gitlab.com/ \
--registration-token REGISTRATION_TOKEN \
--executor docker \
--description "My Docker Runner" \
--docker-image "docker:stable" \
--docker-volumes /var/run/docker.sock:/var/run/docker.sock
I have read several posts/articles that recommend avoiding Docker-in-Docker deployment and instead advise use of Docker socket binding (e.g. https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/).
However a concern with this approach is that any developer who is able to add a Docker command in the .gitlab-ci.yml could access/stop/remove any of the containers running in the host. For example, adding docker rm -f $(docker ps -a -q) would remove all existing containers.
How can I avoid this?