限制推和拉到Docker受信任的注册表DTR
[英]Restrict push and pull to docker trusted registry DTR
问题描述
In docker EE , is there a way to allow push and pull to DTR from specific machines while keeping the web UI access the same as normal? 
在docker EE中,是否有一种方法可以允许从特定机器向DTR推拉,同时保持Web UI访问与正常情况相同?
- The use case is we would like to enforce the use of standard base images from DTR only in docker builds 用例是我们只想在docker build中强制使用DTR的标准基础映像
And we would like to enforce the docker image builds only on standard docker build machines where docker content trust is enabled
而且我们只想在启用了Docker内容信任的标准Docker构建机器上强制执行Docker映像构建 Allowing only these commands: docker pull , docker build , and docker push on CI server
仅允许以下命令:CI服务器上的docker pull,docker build和docker push
Effectively enforcing the users to use the base images from DTR only. 有效地强制用户仅使用DTR中的基本图像。 If they build the image somewhere else they wont be able to push it , and if they build it on our CI server it will make sure they will be able to pull base image only from DTR and not from somewhere else , this will also make sure they build it with docker content trust enabled. 如果他们在其他位置构建映像,则无法将其推送,并且如果将其构建在我们的CI服务器上,则将确保他们只能从DTR而不是从其他位置提取基本映像,这也将确保他们在启用docker内容信任的情况下构建它。
1 个解决方案
解决方案1
1 2018-10-15 15:46:18
I experienced a similar use case and below I share with you how I restricted the pull, push actions perimeter on DTR: 我遇到过类似的用例,下面我与您分享如何限制DTR上的拉,推动作范围:
Configure: who have permissions to perform certain actions on the Registry objects and to load Docker images through the UCP web UI;
配置: 谁有权对注册表对象执行某些操作并通过UCP Web UI加载Docker映像; this results in giving specific grants to users and/or teams. 这导致向用户和/或团队提供特定的资助。 Configure: from where the users (humans and/or automation bots) can perform registry actions, by adding specific firewall rules at a networking level by the Network Administrator.
配置:从这里用户(人和/或自动化机器人)可以执行注册表操作,通过由网络管理员网络级别添加特定的防火墙规则。 Restrict the pull actions only from a specific registry, update the file, at the following path on your Docker host file system, /var/lib/docker/daemon.json adding the URL of DTR:
仅限制来自特定注册表的拉动操作,在Docker主机文件系统/var/lib/docker/daemon.json上的以下路径中更新文件,并添加DTR的URL: { ... # some your custom Docker daemon configuration "registry-mirrors": ["https://your-registry-url"] ... # some other custom Docker daemon configuration }
Finally, I got: allow only to specific users to push Docker images inside DTR repositories and only from a location that is whitelisted by the networking ACLs . 最终,我得到了: 只允许特定用户将Docker映像推送到DTR存储库中,并且只能从网络ACL列入白名单的位置推送 。
Some references: 一些参考:
How to configure the Docker daemon: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file ;
如何配置Docker守护程序: https : //docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file ; An RBAC example: https://success.docker.com/article/rbac-example-overview ;
RBAC示例: https : //success.docker.com/article/rbac-example-overview ; The DTR default permissions supported by the Docker EE RBAC: https://docs.docker.com/ee/dtr/admin/manage-users/permission-levels/ .
Docker EE RBAC支持的DTR默认权限: https : //docs.docker.com/ee/dtr/admin/manage-users/permission-levels/ 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.