►
Description
Release group had a sync meeting for the solution validation on the issue https://gitlab.com/gitlab-org/gitlab/-/issues/262011.
This video contains:
- Problem statement
- 7 LEVELS of securing CD pipelines presentation
- PoC for the potential solution
A
A
Yeah
basically,
this
I
propose
to
dissolution
and
then
the
victor
confirmed
it
with
customer
and
then
it
probably
works
for
them.
So
I
already
created
a
poc,
so
I'm
gonna
demonstrate
it
later,
but
just
you
know
making
making
sure
that
if
the
solution
actually
works
for
them,
if
it's
truly,
you
know
correctly
implemented
for
for
them.
So
I
just
set
up
this
code.
B
Yeah
sure
so
the
problem
we're
trying
to
solve
is
that
for
this
specific
customer.
But
this
is
just
an
example
because
a
lot
of
customers
work
like
this.
They
have
a
segregation
of
duties
and
the
people
that
are
developing
are
not
the
people
that
are
touching
production,
and
so
we
we
already
support
protected
environments
which
don't
allow
people
to
deploy
to
production
unless
they're
specifically
stated
in
under
the
protected
environment
rule.
B
But
this
didn't
solve
their
entire
problem
because
they
also
don't
want
developers
maintainers,
creating
environments.
Okay
and
when
we're
saying
created
environments,
we're
talking
specifically
on
protected
environments
and
not
review
apps.
For
example,
any
developer
can
create
a
development
environment,
but
they
don't
want
customers
to
access
this
newly
created
environment
by
maintainers.
B
So
what
they
asked
us
to
do
was
kind
of
find
a
solution
to
block
maintainers
from
the
ability
of
creating
these
protected
environments
and
there's
two
different
locations
inside
our
product.
Where
you
can
create
environments,
one
is
through
the
ui
and
the
environments
page
where
you
just
create
in
a
new
environment,
and
then
you
can
go
ahead
and
set
it
as
protected
or
through
the
ciaml
file
through
a
job
you
can
create
that
environment.
A
Now,
actually,
I
was
thinking
that
the
solution
could
be
different
per
customer,
see
the
cd
workflow,
the
current
workflow,
but,
like
you
know,
there
are
many
features,
are
involved
with
the
the
securing
city
pipelines,
not
only
protected
environments
but
also
protected
branches,
protected
variables,
etc.
So,
actually
I
was
wondering
if
the
locking
down
the
protected
environment
rules
is,
is
sufficient
for
them,
like
a.
A
B
B
On
the
bottom,
it
says
a
change
and
then
just
change
that
all
right
now
going
back
to
your
question:
junior
you're,
right
and
ian-
and
I
discussed
this
on
our
sink
yesterday-
and
we
have
some
assumptions
that
we
want
to
validate
with
the
customer,
but
we
assume
that
protected
environments
are
going
to
have
some
kind
of
prod
in
the
name.
So
like
we
were
thinking
of
adding,
maybe
a
regex
rule
here
saying:
if
anything
has
prod
inside
it
then
block
the
creation
of
it.
Something
like
that.
B
But
that
was
an
assumption
that
we
have-
and
I
asked
yesterday
from
victor
to
validate
what
the
customary
fire
assumption
is
correct,
because
you're
absolutely
right,
a
developer
can
create
an
environment
and
then
later
on,
particularly
so,
we
had
two
options
that
we
thought
about
yesterday
and
it's
in
one
of
those
notes.
Let
me
look
for
it
in
the
issue
is
one
based
on
regex
and
the
other
one
was
that
creation
of
environments.
B
Would
you
would
get
a
notification
when
someone
creates
a
an
environment
and
then
one
of
two
things
either?
You
just
get
a
notification
and
then
you
can
decide
to
protect
it
later
on,
if
you're,
the
sre
or
the
production
responsible
person,
or
we
would
insert
this
new
workflow,
which
I
highly
not
recommend.
But
maybe
that's
what
the
customer
needs
where
you
need
approval
in
order
to
create
so
a
developer,
creates
an
environment
and
then
it
needs
to
go
through
an
approval
cycle
for
it
to
actually
be
created.
A
A
A
The
problem
that
for
this
solution
we
provide,
we
provide
a
bunch
of
security.
Related
features
like,
for
example,
victor
pointed
out
that
how
about
changing
into
product
production
or
prod,
whatever
things
that
can
be
avoid,
you
know,
can
even
skip
the
validation
of
regex
like
something
yeah.
So
this
cannot
be
prevented
if
they
are
maintenance,
but
the
only
solution
for
this
case
is
that
setting
variables.
A
So
here,
environment,
scope,
setting
environment
is
cool
for
variables,
so
in
this
case
only
production
secret
is
injected
into
production
environment
so
that,
even
if
they
change
environment
name,
this
deployment
job
will
differently
fail
because
they
can
access
it.
The
deep
this
diplomacy
of
cannot
access
to.
You
know
that
the
deployment
target
like
aws
or
gcs,
whatever
things
they
cannot
access
it.
So
that's
kind
of
you
know
assumption
that
we
have.
A
A
So
sorry
yeah
like
actually
I
was
thinking
that,
maybe
you
guys
don't
know
really
about
the
cd
related
future.
It's
really
protected.
It's
called
protected
features
for
the
protected
branches,
protected
tags,
protected
environments,
so
actually
prepared
click
presentation
for
the
features
like
it.
This
is
there
really
I'm
gonna,
just
I'm
gonna,
try
to
finish
within
10
minutes
yeah.
A
A
You
might
already
know
that
say
pipeline
how
ci
pipelines
works,
continuous
integration,
so
like
testing
jobs
like
our
space
jobs,
would
work
but
city
pipelines,
city
deployment
jobs
are
a
bit
more
complicated
than
these
testing
jobs.
Because
it's
you
know
it
has
secrets,
it
must
be
secured
by
developer
developers
or
some.
You
know
the
lower
level
like
to
sell
other
people.
So
there
are
here's
the
civil
levels
of
tips
now
level.
One
set
the
proper
role
to
project
member
now
in
glove.
A
There
are
a
few
roles:
guest
reporter
developer,
maintenance
and
owner
and
then
the
permission.
The
giving
permission
increase
from
left
to
right
so
guest
has
a
list
permission
and
the
owner
has
a
full
control
on
the
project.
Now,
what's
important
here
is
that
maintainer
role
has
permission
to
access
to
project
settings
all
project
settings,
including
production
secrets.
So
you
know
in
gilaf
you
can
access
this
settings
page
maintainer.
All
maintainers
have
access
to
here.
A
So
what's
important
here
is
that
if
the
person
should
not
have
access
to
production,
then
the
person
should
be
developer
role
of
below
to
develop
guest
reporter
or
developer,
and
if
the
person
should
have
have
access
to
production,
for
example,
operators,
sre
release
managers
and
the
person
should
be
maintainer
or
so.
This
is
a
level
one
at
a
level.
A
2
protect
the
deployment
branch
so,
for
example,
in
a
typical
c
continuous
deployment,
workflow
matchbreaker
is
merging
merged
to
master
branch,
and
the
master
branch
creates
a
new
deployment
pipeline
and
deployed
to
aws
or
whatever
place
and
then
predict
the
deployment
branch
means
only
allowed.
People
can
merge
or
push
to
the
branch.
So,
in
this
case,
only
maintainer
role,
people
can
merge
or
push,
but
more
importantly,
actually,
this
is
a
kind
of
secret
feature
of
this
thing
is
that
only
a
lot
of
people
can
run
a
pipeline
on
the
branch.
A
A
So
it
really
depends
on
the
external
service
how
external
service
authorize
authenticates
a
request:
the
by
default
all
xr
deployments,
the
actual
deployment
resource
servers
have
some
kind
of
horse
mechanism,
so
there
is
definitely
like
secrets
has
to
be.
You
know
the
secrets
has
to
be
prepared
in
the
deployment
job,
and
then
that
means
that
a
gitlab
users
have
to
define
the
secrets,
so
they
use
environment
variables
right
so
user.
Here's,
the
environment
variables
the
ui,
though
so
the
point
of
the
laboratory
is
that
protect.
A
This
variable
here
is
a
production
secret
and
then
mark
protect
it.
This
protected
means
that
this
variable
is
injected
only
on
protected
branch,
which
just
we
just
covered
at
level.
Two.
Okay,
this
variable
is
only
available
in
master
branch
so
that,
for
example,
developer
trying
to
steal
the
secret.
They
cannot
do
that
because
it's
protected,
they
don't
have
access
to
master
branch.
They
don't
have.
They
can
run
pipeline
master
branch
so
that
this
is
a
level
three
now
level.
Four
protect
the
environment.
A
The
this
is
our
main
point
in
this
issue,
though
only
a
lot
of
people
can
execute
the
diplomat
job.
So
in
the
screenshot
production
environment
is
protected
that
can
be
deployed
by
john
only
okay,
so
this
is
a
one
step
further
from
the
this
level.
One
set
proper
role
project
you
know
like
maintainer
is
maintainer
can
deploy,
developer
cannot
deploy,
but
this
is
one
step
further
maintenance
can
deploy,
and
only
the
john
maybe
join.
A
Is
there
also
one
of
the
maintainers,
and
probably
there
are
a
bunch
of
maintenance,
the
other
maintenance,
but
only
john
can
deploy
so
they
can
set
it.
But
now,
please
consider
that
this
is
also
project
level,
setting
okay,
that
we
just
covered
that
main
general
has
a
permission
to
access
to
project
setting.
That
means
that,
even
though
the
the
production
environment
can
be
deployed
by
john,
the
other
maintainers
can
change
this
setting.
A
Okay,
so
this
rule
can
work
on
the
trust
that
all
the
maintainers
are
reliable
or
trustworthy.
Okay,
now
level,
five
said
environment
scope
to
the
secrets.
Now
we
just
have
either
protected
the
protected
variables,
but
also
on
top
of
that
there's
an
environment
scope.
The
secret
will
be
injected
into
developmental
jobs
to
the
target
environment.
A
Only
so
in
this
case,
this
secret
is
injected
into
production
environment
only
so
we
just
like
made
their
assumption
that
what
if
they
change
production
change,
the
you
know,
environment,
name,
to
production
whatever
or
production
one
production
tree,
or
something
like
that,
then
they're
gonna
the
deployment
job
going
to
rules
this
production
secret.
So
that's
you
know
the
how
we,
how
users
secure
their
deployment,
jobs,
okay
and
the
level
six
is
protects.
The
runner-
and
this
is
a
bit
different
aspect
from
level
1
to
level
5.
A
We
covered
guillaume
core,
the
the
server
side
logic,
and
now
we
are
covering
the
executor
side.
Now,
for
example,
deployment
of
pipelines
created
a
deployment
job
is
the
status
transitions
to
pending?
Now
then,
gitlab
runners
coming
the
job
agency
day
is
coming
to
gitlab
and
then
hey?
Is
there
any
pending
jobs?
And
if
there
is
they
fetch
it
and
then
actually
start
it
executing
a
job?
But
the
question
is
that:
can
you
actually
trust
the
runner?
The
which
is
technically
external
problem
could
be?
A
You
know
the
martial's
program
that
developed
by
marcia's
user,
so
that
in
this
case,
you
are
make
sure
that
only
trusted
runners
only
trusted
the
job
executors
can
run
the
deployment
jobs
and
then,
of
course,
this
runner
should
be
protected,
that
you
know
you
can
see
that
in
the
description
of
that
protected
checkbox
is
checked.
This
means
that
the
runner
can
execute
the
job
on
protected
branch
only
which
we
covered
level
two
or
something
yeah,
okay,
so
protected
runner
at
the
level.
A
Seven
like
this
is
completely
new
level
that
you
know
like
we,
for
example,
there
are
a
bunch
of
maintenance
in
the
project.
The
one
of
them
is
john,
who
has
a
his
release?
Manager
who
has
access
to
production
and
the
dslr
maintenance,
don't
have
a
shouldn't,
have
access
to
production,
and
then,
in
the
case
that
you
cannot
trust
the
other
maintenance,
you
know,
might
change
the
protected
environment
rule
setting.
A
Yes,
so
I
actually
explicitly
mentioned
in
this
presentation,
because
you
know
in
the
issue
the
in
this
issue.
The
big
story
mentioned
that
technically,
guillermo
yama
should
be
locked
to
two
right
by
this
practice
like
completely
separate
by
separating
deployment
project.
Actually
they
can
secure
gilab
si
ayamo
as
well,
okay,
because
only
in
this
case,
for
example,
john-
can
change
the
c
yeah
yama,
so
he's
at
level
7
and
then
that's
all
like
maintain.
A
Our
law
means
that
the
person
has
access
to
production,
the
protects
the
deployment
branch,
protect,
the
production
secret,
protect
the
environment
and
they
said
environment,
scope
to
the
production
secrets
and
the
protect
runner
and
a
separate
deployment
project
if
necessary
thanks.
This
is
a
presentation
I
prepared.
B
A
A
Yeah,
so
basically
the
maintenance
has
all
access
to
all
of
the
you
know,
project
settings
so
like
the
point,
is
that
what
we
should
lock
down
so
like
in
this
issue?
We
are
talking
about
what,
if
we
lock
the
we
allow
owner
to
lock
protected
environment
rules,
so
that
the
even
if
the
arsenal
maintainer
created
a
new
environment,
then
the
environment
cannot
have
a
new
secret.
A
C
C
A
Yeah,
so
that's
the
first
purple
style
to
this
issue
that
we
introduced
this
log.
Here's
a
poc
part
that
I
created
for
the
issue
that
owner
role
can
see
this
setting
the
protected
environment
environment
locks
and
if
they,
the
owner,
can
check
their
log
product
data
environment
rules
then
save
changes.
A
A
C
C
C
C
A
So
in
the
issue
we're
talking
about
that,
unprotected
environments
should
still
be
able
to
be
credited
created
by
the
developers
and
maintainers.
For
example,
this
allows
users
to
use
review
apps
like
seeing
the
environment
in
the
margin
request,
so
the
customers
they
still
want
to
use
that
so
yeah.
A
B
A
So
like,
if
you
are
a
maintenance
and
then
like
you
are
a
new,
for
example,
you're,
a
new
release
manager
and
you
need
access
to
production
environment
because
you're
taking
responsibility
of
the
previous
release
manager.
Then
you
ask
the
current
owner
project
owner
that
hey,
please
unlock,
protect
the
environment
rule
at
first
and
then
add
me
to
the
me
here
right
and
then
order
like
unprotect
it
and
then
chancer,
adding
the
new
release
manager
to
here
and
then
lock.
It
again
save
changes
and
then
okay,
that's
a
that's
a
yeah
workflow.
We
expect.
C
I
really
like
that,
but
I
do
have
one
comment
if
I
am
the
owner
of
the
project
and
I
have
clicked
protected
environment
locks,
so
that
is
now
enabled,
would
it
be
possible
for
me
the
owner
to
then
also
just
edit
the
protected
environments?
That's
like
a
right
as
an
owner,
even
if
they're
locked
that
way,
there's
not
unlocking
and
locking
that
usability
pattern
tends
to
cause
problems.
A
C
B
A
Cool,
so
I
think
I
presented
everything
I
wanted
to
tell
I
mean,
given
we
only
have
huge
information
about
the
customers.
I
really
not
sure
if
this
the
right
solution,
though
it's
gonna
variate
it
so
yeah,
that's
it.
If
you
don't
have
a
question,
then
I'm
gonna
end.
This
call,
okay,
all
right
cool
thanks.
Everyone
thank.