Add caveat regarding API interactions

fe9a762a · Tim Poffenbarger · Suzanne Selhorn · b097374a · fe9a762a
Commit fe9a762a authored Apr 15, 2021 by Tim Poffenbarger Committed by Suzanne Selhorn Apr 15, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

doc/user/group/index.md doc/user/group/index.md +6 -0

No files found.
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -475,6 +475,12 @@ You should consider these security implications before configuring IP address re
 - **Administrators and group owners**: Users with these permission levels can always
  access the group settings, regardless of IP restriction, but they cannot access projects
  belonging to the group when accessing from a disallowed IP address.
+- **GitLab API and runner activities**: Only the [Groups](../../api/groups.md)
+  and [Projects](../../api/projects.md) APIs are protected by IP address restrictions.
+  When you register a runner, it is not bound by the IP restrictions. When the runner
+  requests a new job or an update to a job's state, it is also not bound by
+  the IP restrictions. But when the running CI/CD job sends Git requests from a
+  restricted IP address, the IP restriction prevents code from being cloned.

 To restrict group access by IP address: