限制对Docker Hub的访问

Question

I'm looking at using Artifactory ( as we already have it in the enterprise ) to store Docker images that we create. I'm hoping to provision and run those images using docker-compose.

If possible, I would like to make it impossible for devs to pull images from DockerHub, but I can't see how to achieve this. If someone puts

   postgres:
      image: "postgres:9.4"

in their compose file then this will pull the postgres image from docker hub. I'd like to limit the scope of the search that is undertaken so that only images in my local repo are considered. My rationale is that someone can accredit the images that are in my local repo so we can limit the number of vulnerabilities that we are open to.

Is this possible?

Is it a good idea?

Answer 1

You are in the right direction, proper dependency management is one of the pains Artifactory aims to alleviate - I suggest you start by reading this post about your exact issue that explains how can Artifactory be leveraged to solve this issue.

For your specific usecase you can either limit developers to only pull from a local repository (or several aggregated into a virtual repository) that holds only 'approved' images (using permission targes to limit access only to that repository).Or you can setup include/exclude patterns on your remote repository that proxies Docker Hub - but I feel this might be a bit of an overkill, and can be error prone unless you have very specific images you want to limit.