Orchestrating High-Security CI/CD Workloads via GitLab Dedicated Hosted Runners

The landscape of continuous integration and continuous deployment (CI/CD) requires a delicate balance between execution speed, environmental isolation, and administrative overhead. In the GitLab ecosystem, the GitLab Runner serves as the fundamental engine of this process. While standard runners facilitate basic automation, GitLab Dedicated—a specialized, single-tenant offering—introduces a sophisticated tier of execution environments known as Hosted Runners. These runners are engineered for organizations that require the seamless integration of GitLab-managed infrastructure with the rigorous security and isolation standards demanded by enterprise-grade dedicated environments. Unlike standard shared runners, hosted runners for GitLab Dedicated are specifically designed to operate within the security perimeter of a Dedicated instance, utilizing ephemeral, autoscaling virtual machines to ensure that every job is executed in a pristine, isolated environment.

The Architectural Role of GitLab Runner in Pipeline Execution

To comprehend the specific utility of GitLab Dedicated Hosted Runners, one must first understand the fundamental role of the GitLab Runner application itself. The GitLab Runner is the execution agent that bridges the gap between defined automation logic and physical or virtual computing resources.

When developers commit code to a GitLab instance, the workflow typically involves a .gitlab-ci.yml file. This configuration file acts as the blueprint for the entire pipeline, defining specific tasks such as running unit tests, compiling application binaries, or deploying artifacts to production environments. The GitLab Runner is the entity that listens for these instructions.

The operational flow of a runner involves several key stages:

  1. Connection and Polling: The GitLab Runner application establishes a connection to the GitLab instance (whether it is GitLab.com, a Self-Managed instance, or a GitLab Dedicated instance). Once connected, it enters a polling state, waiting for the GitLab server to assign CI/CD jobs to it.
  2. Job Dispatch: When a pipeline is triggered, the GitLab server identifies available runners that match the job's requirements (such as specific tags). The server then sends the job instructions to an available runner.
  3. Execution: The runner pulls the necessary environment (often via Docker or a specialized executor), executes the commands defined in the .gitlab-ci.yml file, and captures the output.
  4. Reporting: Once the task is completed, the runner reports the success, failure, or status of the job back to the GitLab instance, which then updates the pipeline UI.

For administrators, the management of these runners is a significant responsibility. In a traditional self-managed setup, the administrator is tasked with the installation, configuration, and scaling of the runner application. They must ensure that the underlying infrastructure—be it on-premises servers, cloud VMs, or Kubernetes clusters—has sufficient CPU, memory, and storage capacity to handle the organization's concurrent CI/CD workloads. GitLab Dedicated changes this paradigm by shifting the burden of infrastructure management to GitLab, providing hosted runners that are fully integrated into the Dedicated environment.

Deep Analysis of GitLab Dedicated Hosted Runners

Hosted runners for GitLab Dedicated represent a premium execution tier, currently available under limited availability for customers on the Ultimate tier. These runners are not merely external instances connecting to a server; they are deeply integrated, managed components of the GitLab Dedicated ecosystem.

Infrastructure and Provisioning

The underlying compute for these runners is provided by GitLab and scales dynamically to meet demand.

Feature Specification / Detail
Hosting Provider AWS EC2 (Amazon Web Services)
Deployment Region Same region as the GitLab Dedicated instance
Scaling Mechanism Autoscaling instance runners
Execution Model Ephemeral Virtual Machines (VMs)
Executor Type Docker Autoscaler

The use of AWS EC2 in the same region as the GitLab Dedicated instance is a critical design choice. This proximity minimizes network latency between the runner and the GitLab instance, ensuring that the communication required to fetch repository data and upload artifacts is as efficient as possible.

The provisioning model is strictly ephemeral. Each time a job is dispatched, a newly provisioned virtual machine is created specifically for that single job. Once the job execution is finished, the VM is immediately deleted. This "one-job-per-VM" approach provides the highest possible level of isolation, preventing "poisoned" environments where remnants of a previous job could potentially compromise the security or integrity of a subsequent job.

Resource Allocation and Constraints

While the ephemeral nature provides security, it also introduces specific resource management considerations.

  • Storage Dynamics: The storage within a hosted runner VM is a shared resource. It must accommodate the operating system, the pre-installed software image used for the runner, and a local copy of the cloned repository. Because of this shared architecture, the actual free disk space available for the specific tasks defined in the CI/CD job is somewhat reduced compared to a dedicated physical disk.
  • Permissions: For ease of automation and configuration within the ephemeral environment, the VM where a job runs is granted sudo access without a password requirement. This allows the runner to perform administrative tasks, such as installing dependencies or configuring the environment, without manual intervention.
  • Default Runner Settings: By default, any job that does not have specific tags assigned to it will be routed to the small Linux x86-64 runner. However, GitLab administrators possess the authority to modify this behavior via the "run untagged jobs" setting.

Tiered Availability and Trial Capabilities

GitLab offers a 30-day free trial for GitLab Dedicated customers, which provides a window to test various runner configurations. The trial includes a specific selection of runner sizes to allow for diverse testing scenarios.

Runner Type Available Sizes in Trial
Linux x86-64 Small, Medium, Large
Linux Arm Small, Medium

During this trial period, users can also test limited autoscaling configurations that support up to 100 concurrent jobs, providing a realistic simulation of enterprise-scale CI/CD workloads.

Security and Network Isolation Architecture

The security posture of Hosted Runners for GitLab Dedicated is one of its most defining characteristics. GitLab has implemented multiple layers of hardening to ensure that the build environment remains isolated from both the public internet and other internal workloads.

The network architecture follows a strict "zero-trust" and "minimal-privilege" philosophy:

  • Outbound Communication: Firewall rules are configured to allow only outbound communication from the ephemeral VM to the public internet. This allows the runner to pull necessary dependencies or interact with external APIs if required by the job.
  • Inbound Communication: There is a total prohibition on inbound communication from the public internet to the ephemeral VM. This prevents external actors from attempting to exploit the running job.
  • Inter-VM Isolation: To prevent lateral movement in the event of a compromise, firewall rules explicitly forbid communication between different VMs. Each job exists in a vacuum.
  • Managerial Control: The only entity permitted to communicate with the ephemeral VMs is the runner manager itself.
  • Connectivity via PrivateLink: For organizations requiring even tighter integration with their own cloud infrastructure, GitLab allows for the enablement of Outbound PrivateLink connections. This creates a secure, private connection between the hosted runners for GitLab Dedicated and services residing within the customer's AWS VPC, bypassing the public internet entirely.

Administrative Configuration and Management

Managing hosted runners requires administrative privileges within the GitLab Dedicated instance. The management process is split between two primary interfaces: Switchboard and the GitLab Admin area.

The Switchboard Interface

Switchboard serves as the primary control plane for creating and viewing the fleet of hosted runners.

To initiate the creation of a new runner, administrators must follow these steps:

  1. Sign in to the Switchboard platform.
  2. Navigate to the top of the page and select "Hosted runners".
  3. Choose the "New hosted runner" option.
  4. Select the desired runner size (e.g., Small, Medium, or Large).
  5. Execute the "Create hosted runner" command.

Upon successful creation, an email notification is sent to the administrator. It is important to note that if Outbound PrivateLink connections were configured for existing runners, these settings do not automatically apply to new runners; a separate request is required for each new instance.

The GitLab Admin Area

Once runners are created in Switchboard, they are managed within the GitLab interface. Administrators can view hosted runners through two distinct paths:

  • The Runners Page: Located under Admin > CI/CD > Runners.
  • The Fleet Dashboard: A centralized view for monitoring runner availability and status.

Administrators have the ability to change default values for runner tags and modify the runner description. However, it is important to recognize that GitLab does not control the specific runner tags or descriptions set by the administrator; these are entirely user-defined.

Currently, while administrators can view the status of runners, compute usage visualizations are not available for general users. An epic exists within the GitLab development roadmap to bring these visualizations to general availability in the future.

Comparative Landscape of Runner Sources

To properly position GitLab Dedicated Hosted Runners, they must be compared against the broader spectrum of runner options available in the GitLab ecosystem, particularly for those using GitLab SaaS (GitLab Cloud).

Runner Source Description Primary Use Case Availability
GitLab Shared Runners Managed and autoscaled by GitLab. Rapid prototyping; no setup. Enabled by default
Project-Specific Runners Installed/registered for one project. Sensitive repository isolation. User-managed
Group Runners Registered to a group level. Shared infrastructure for groups. User-managed
Self-Hosted Runners Custom infrastructure (Linux, K8s, etc.). Full environmental control. SaaS-compatible
GitLab Kubernetes Executor Auto-provisioned in K8s via Agent. Cloud-native/GitOps delivery. Optional setup
GitLab macOS Runners (M1/M2) Apple Silicon runners. macOS/iOS app builds (Xcode). Beta for SaaS

While GitLab SaaS users rely heavily on shared and self-managed runners, GitLab Dedicated users leverage the Hosted Runners to achieve a middle ground: the ease of a managed service with the security of a dedicated, isolated environment.

Versioning and Compatibility Requirements

A critical technical requirement for all GitLab Runner deployments, including self-managed instances, is the synchronization of versions. To ensure stability and feature availability, the GitLab Runner's major and minor version should remain in alignment with the GitLab instance version.

While the system is designed with a degree of backward compatibility—meaning older runners may function with newer GitLab versions—this is not a guaranteed state for all features. Significant version disparities can lead to:

  • Missing features in the runner that the GitLab server expects.
  • Malfunctioning CI/CD job execution.
  • Reduced stability in the pipeline orchestration.

While minor version updates of GitLab generally maintain backward compatibility, certain new features introduced in a GitLab minor update may strictly require the GitLab Runner to be updated to that same minor version to function correctly.

Technical Analysis of Runner Lifecycle and Maintenance

The maintenance of runners in a GitLab Dedicated environment is handled as part of the tenant's scheduled maintenance windows. This is a significant departure from self-managed runners, where the administrator must manually orchestrate updates and handle the complexities of downtime.

However, a technical challenge remains in the current implementation: the absence of zero-downtime upgrades. When runners are upgraded during the scheduled maintenance windows of a GitLab Dedicated tenant, there is currently an issue in implementing a seamless transition that avoids any interruption in job processing. This means that during the upgrade window, there may be periods where the runner availability is affected.

In conclusion, the orchestration of CI/CD workloads via GitLab Dedicated Hosted Runners represents a sophisticated convergence of managed service convenience and rigorous, ephemeral security. By utilizing AWS EC2 for autoscaling and enforcing strict network isolation through specialized firewall rules and PrivateLink, GitLab provides an environment that satisfies the most demanding security requirements. The transition from the administrator-heavy management of self-managed runners to the streamlined, Switchboard-driven management of hosted runners allows organizations to focus on code delivery rather than infrastructure maintenance, provided they account for the specific storage and versioning constraints inherent in the architecture.

Sources

  1. GitLab Runner Documentation
  2. Hosted runners for GitLab Dedicated
  3. GitLab Cloud Runner Sources

Related Posts