Encryption clarification

[craigjbass]

As asked over here concourse/docs#304.

With reference to: https://github.com/concourse/docs/blob/master/lit/docs/auth.lit#L55

I have some confusion about what the docs are actually telling me. Can someone explain it like I’m 5?

[vito]

Essentially, Concourse should not (yet) be used in situations where you anticipate having potentially malicious actors configure pipelines. While we run workloads in containers, this is primarily to protect your builds from themselves by providing a clean, isolated environment on each run, and not to protect your cluster from arbitrary user-submitted workloads that pipelines may run.

For example, if you were to run a central Concourse with open registration in order to run something like a hosted CI offering, you could quickly run into trouble as Concourse does not enforce safeguards that would prevent a user from submitting a build that is a "noisy neighbor" (i.e. starving your workers of CPU or memory) or tries to access sensitive networks that it shouldn't. In fact, pipelines can even enable their tasks to run with privileged: true, effectively granting them root access.

In order to provide that level of safety, more work would have to be done to enforce limits and perhaps disable or limit the use of privileged: true. You can at least configure the workers to deny access to certain network ranges, and we do this in our own large-scale internal environment, but this is not currently documented as we aren't quite prepared to deal with the fallout of suggesting that we support that use case just yet.

Does that help?

[craigjbass]

Thanks @vito that's really clear!