Try   HackMD

When using cirun.io in an organization, quite often you need the ability to control access to runners per repository to control usage, cost and availability. Cirun provides a way to access control runners via the following mechanism:

You'd create a repository named .cirun in your organization and create a couple of config files to control access.

  1. .cirun.global.yml: This is the file where you'd define all the runner configurations you'd want to use in the organization. The format of this file is same as .cirun.yml, for example:


























runners:
  - name: gpu-runner
    cloud: openstack
    instance_type: gpu_large
    machine_image: ubuntu-2204-nvidia-docker-20221229
    region: RegionOne
    labels:
      - cirun-openstack-gpu
      - openstack-gpu-runner

  - name: cpu-runner
    cloud: openstack
    instance_type: ci_medium
    machine_image: ubuntu-2204-cloud-jammy-20221104
    region: RegionOne
    labels:
      - cirun-cpu-runner
      - openstack-cpu-runner

  - name: aws-runner
    cloud: aws
    instance_type: t2.medium
    machine_image: ami-06fd8a495a537da8b
    preemptible: true
    labels:
      - cirun-runner
  1. .access.yml: This is the file, where you'd define the rules for access control. Let's take an example to understand how it works:



























version: 1

policies:
  - id: cirun-sandbox-policy
    repo: cirun-sandbox
    teams:
      - core
      - alpha
      - beta
  - id: cirun-demo-repo-policy
    repo: cirun-demo
    teams:
      - core
      - demo

access_control:
  - resource: gpu-runner
    policies:
      - cirun-demo-repo-policy
  - resource: cpu-runner
    policies:
      - cirun-sandbox-policy
      - cirun-demo-repo-policy
  - resource: aws-runner
    policies:
      - cirun-demo-repo-policy
      - cirun-sandbox-policy

Let's try to understand this configuration:

  • policies: A policy is a set of a repository and teams.
  • access_control: Access control defines which policies have access to resource.

To simplify which combination of repository and teams have access to a resource. In other words, if there is an event of a workflow job and that requires cirun to spinup a resource (runner), it will only spinup a runner if that workflow job was triggered by a member of the given team on a given repository in a policy defined on that resource.

From the above example:

If a workflow job is triggered on aktechlabs/cirun-demo and it requests the resource gpu-runner, then it must have been triggered by a member of demo or core teams to be authorized get a gpu-runner.

Conda forge: Admin Requests Access control process

  • repository
  • teams
  • resource
  • policy for branch (?)

grant_access/cirun-gpu-runner-pr.txt

foo-feedstock

resulting policy:

  - id: foo-feedstock-policy
    repo: foo-feedstock
    teams:
      - foo-feedstock
    pull_request: false

To cater for the case lets say some feedstock merge
in various branches for various versions example python.

  • admin_requests/.access_control.yml - will be updated in CI after success for access control request
Last changed by 
Amit Kumar
0
48

Read more

Current Permissions model in Nebari

conda-store:read:quansight-namespace

Apr 4, 2024
Papyri

CLI: papyri/__init__.py

Mar 22, 2023
Read more from Amit Kumar
Published on HackMD