Feature Request: Block Public Docker Registry
dbooncha opened this issue · comments
I see the ability to add registry, and maybe I am missing it, but we have a need to block all registry's except what we white list. I have added local registry, and they work, but now we would like the abiltiy to block docker from pulling from any public registry's, ie docker hub.
All registries, as well as images, are blocked by default. You can whitelist single images or registries with the commands below:
hbm resource add -t image -v "kassisol/hbm" img_hbm
, tags are not checked so no need to specify them.hbm resouce add -t registry -v "private.registry.com" registry_private1
.- You can also allow only official images from docker public registry
hbm resource add -t config -v image_create_official official_image
.
Let me know if that work for you
Ok so I may have something missed configured. I have whitelisted centos and oracle images and I have allowed my local registry. Our local registry only contains centos images but I can still pull down oralce images from docker hub. Let me look into my settings.
can you paste the output the commands hbm resource ls -f "type=image" -f "type=registry"
and the docker pull commands
Sure thing,
$ hbm resource ls -f "type=image
NAME TYPE VALUE OPTIONS COLLECTIONS
image_centos image centos spf-collection
image_oracle image oraclelinux spf-collection
$ hbm resouce ls -f "type=registry"
NAME TYPE VALUE OPTIONS COLLECTIONS
td-registry registry td.registry.domain spf-collection
$ docker pull oraclelinux
Using default tag: latest
Warning: failed to get default registry endpoint from daemon (Error response from daemon: authorization denied by plugin hbm: info is not allowed). Using system default: https://index.docker.io/v1/
latest: Pulling from library/oraclelinux
27de86fdd696: Pull complete
Digest: sha256:e000f0ba4aa2873b5f0a2a30219f8ab04a865ab536567652526134057fd299c7
Status: Downloaded newer image for oraclelinux:latest
Would that hbm:info error have anything to do with it? What I would like to prevent is docker from pulling from public repos like what happened when I pulled oraclelinux.
Thanks
Why do you whitelist the image oraclelinux if you don't want it to be pulled?
image_oracle image oraclelinux spf-collection
It was a test, the thought was if docker could not find an image in my local registry I want to prevent docker from pulling it from docker hub if that makes sense.
Now I think I understand what you are trying to do. When whitelisting registry, all images from that registry is allowed. Registry and image resources are not related.
If you want to whitelist a single image, and not all of them, from your registry, run the following command hbm resource add -t image -v "td.registry.domain/centos" img_centos
as you will specify the image to the docker command (docker pull td.registry.domain/centos).
If specifying oraclelinux
that means an official image from docker public registry. That's the reason why you can still pull it.
remove those 2 resources image_centos
and image_oracle
.
Ok, I think I am following. If whitelist a specific image with the registry like so
hbm resource add -t image -v "td.registry.domain/centos" img_centos
It will only pull that image down from that registry.
If I whitelist an image name like
hbm resource add --type image --value centos image_centos
Docker is allowed to pull that image from any registry.
Is that correct?
Almost! For the last one, It's the same as running docker pull centos
, the docker command does not pull it from any registry but from the public registry, right?
That's what I meant. Got it thanks!
👍