[[File:GitLab Runner permission model.png|thumb|409x409px]]
[[File:GitLab Runner permission model.png|thumb|409x409px
Revision as of 10:12, 8 March 2022
Trusted GitLab Runners offer CI with additional security and trust requirements. In contrast to the Shared Runners, which run in WMCS, Trusted Runners live inside WMF infrastructure. With this approach, SRE team has full control over the instance and who has access. Furthermore customization, like scaling, other disks and NICs can be done outside of the bounds of WMCS. Beside that, Shared Runners and Trusted Runners use the same puppet code (
role(gitlab_runner)) with slightly different hiera configuration.
The current Trusted Runner cluster consist of two Ganeti VMS:
With increased usage this VMs may be replaced by hosts in the future.
Request access to Trusted Runners
Access to this Runners is gated and restricted. No project has access to Trusted Runners by default. Access has to be requested on project basis. Please use the following Phabricator task template to create a access request: Task Template
Please make sure to check your project settings and especially who has maintainer permissions. You also must protect your main branch. As described in the Security Evaluation maintainer permissions ("merge", "+2") are needed to execute jobs on the Trusted Runners. Reversely this also means everyone with maintainer permissions can execute such jobs.
Using Trusted Runners
Trusted Runners export Prometheus metrics. Dashboards are available in Grafana: gitlab-ci-overview and gitlab-runner-detail
Related task: T295481