stackoom
  简体   繁体   中英

Restrict push and pull to docker trusted registry DTR

 原文  2018-10-04 19:01:16       docker/ docker-trusted-registry

Question

In docker EE , is there a way to allow push and pull to DTR from specific machines while keeping the web UI access the same as normal?

  • The use case is we would like to enforce the use of standard base images from DTR only in docker builds

  • And we would like to enforce the docker image builds only on standard docker build machines where docker content trust is enabled

  • Allowing only these commands: docker pull , docker build , and docker push on CI server

Effectively enforcing the users to use the base images from DTR only. If they build the image somewhere else they wont be able to push it , and if they build it on our CI server it will make sure they will be able to pull base image only from DTR and not from somewhere else , this will also make sure they build it with docker content trust enabled.

1 answers

solution1
 1  2018-10-15 15:46:18

I experienced a similar use case and below I share with you how I restricted the pull, push actions perimeter on DTR:

  • Configure: who have permissions to perform certain actions on the Registry objects and to load Docker images through the UCP web UI; this results in giving specific grants to users and/or teams.

  • Configure: from where the users (humans and/or automation bots) can perform registry actions, by adding specific firewall rules at a networking level by the Network Administrator.

  • Restrict the pull actions only from a specific registry, update the file, at the following path on your Docker host file system, /var/lib/docker/daemon.json adding the URL of DTR: 

      { ... # some your custom Docker daemon configuration "registry-mirrors": ["https://your-registry-url"] ... # some other custom Docker daemon configuration }

Finally, I got: allow only to specific users to push Docker images inside DTR repositories and only from a location that is whitelisted by the networking ACLs .

Some references:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Docker Hub vs Docker Trusted Registry DTR How do I uninstall Docker Trusted Registry (DTR)? How to push the image into DTR Docker Trusted Repository Using Jenkins Docker - push from dockerhub to trusted registry? Error docker registry behind nginx, push and pull docker pull/push not working with insecure registry Cannot push/pull to remote docker registry Docker private trusted registry Docker Registry vs Docker “Trusted” Registry How to pull docker images from public registry and push it to private openshift?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM