You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the OCI runner takes credentials so it can create OCI container instances to run container jobs. This is insecure. We need to add an "api runner" that invokes an endpoint on the internal API (with the token included), that in turn starts the container. This way the credentials remain hidden and the API can impose limits on the container creation (since the build script is essentially external code).
The text was updated successfully, but these errors were encountered:
Currently the OCI runner takes credentials so it can create OCI container instances to run container jobs. This is insecure. We need to add an "api runner" that invokes an endpoint on the internal API (with the token included), that in turn starts the container. This way the credentials remain hidden and the API can impose limits on the container creation (since the build script is essentially external code).
The text was updated successfully, but these errors were encountered: