There is a feature in beta right now that lets you define which projects can use a specific runner resource class: https://circleci.com/docs/config-policy-reference/#resource-class-by-project. This enables you to restrict runner usage via the runner resource class to specific projects.

We'd love to hear if this does or does not meet your needs.

cc Nathan Fish

Any update on this?

Thank you to everyone that has expressed interest in this ticket. We are currently scoping out potential solutions for this issue and would love to get any additional feedback. If interested, please email me at aayush.sutaria@circleci.com and I will send over a few questions!

Having the ability to allowlist certain projects on a specific resource class at the organization level (i.e. as a property of the resource class) would help make self-hosted runners more secure.

I understand that org contexts are restricted via security groups (essentially Github teams).

I was wondering if it may be good to also revisit the restriction mechanism, if we were to build out this Runner resource class restriction feature.

Specifically, besides security groups / teams, the restriction may be at project level (e.g., for specific projects only), rather than user level.

We would like the ability to be restricted to a Team to begin with. In our organization we want to use the runners to deploy infrastructure changes which is only allowed to the team of the DevOps engineers but not allowed to developers thus we don't want developers to use runner's resource class in the circleci configs in the repositories they control.