When using cirun.io in an organization, quite often you need the ability to control access to runners per repository to control usage, cost and availability. Cirun provides a way to access control runners via the following mechanism:
You'd create a repository named .cirun
in your organization and create a couple of config files to control access.
.cirun.global.yml
: This is the file where you'd define all the runner configurations you'd want to use in the organization. The format of this file is same as .cirun.yml
, for example:.access.yml
: This is the file, where you'd define the rules for access control. Let's take an example to understand how it works:Let's try to understand this configuration:
policies
: A policy is a set of a repository and teams.access_control
: Access control defines which policies have access to resource.To simplify which combination of repository and teams have access to a resource. In other words, if there is an event of a workflow job and that requires cirun to spinup a resource (runner), it will only spinup a runner if that workflow job was triggered by a member of the given team on a given repository in a policy defined on that resource.
If a workflow job is triggered on aktechlabs/cirun-demo
and it requests the resource gpu-runner
, then it must have been triggered by a member of demo
or core
teams to be authorized get a gpu-runner
.
grant_access/cirun-gpu-runner-pr.txt
resulting policy:
To cater for the case lets say some feedstock merge
in various branches for various versions example python.