Restrict push and pull to docker trusted registry DTR

Question

In docker EE , is there a way to allow push and pull to DTR from specific machines while keeping the web UI access the same as normal?

The use case is we would like to enforce the use of standard base images from DTR only in docker builds
And we would like to enforce the docker image builds only on standard docker build machines where docker content trust is enabled
Allowing only these commands: docker pull , docker build , and docker push on CI server

Effectively enforcing the users to use the base images from DTR only. If they build the image somewhere else they wont be able to push it , and if they build it on our CI server it will make sure they will be able to pull base image only from DTR and not from somewhere else , this will also make sure they build it with docker content trust enabled.

andov · Answer 1 · 2018-10-15T16:37:17.650

1

I experienced a similar use case and below I share with you how I restricted the pull, push actions perimeter on DTR:

Configure: who have permissions to perform certain actions on the Registry objects and to load Docker images through the UCP web UI; this results in giving specific grants to users and/or teams.
Configure: from where the users (humans and/or automation bots) can perform registry actions, by adding specific firewall rules at a networking level by the Network Administrator.

Restrict the pull actions only from a specific registry, update the file, at the following path on your Docker host file system, /var/lib/docker/daemon.json adding the URL of DTR:

  { 
    ... # some your custom Docker daemon configuration
    "registry-mirrors": ["https://your-registry-url"]
    ... # some other custom Docker daemon configuration
  }

Finally, I got: allow only to specific users to push Docker images inside DTR repositories and only from a location that is whitelisted by the networking ACLs.

Some references:

How to configure the Docker daemon: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file;
An RBAC example: https://success.docker.com/article/rbac-example-overview;
The DTR default permissions supported by the Docker EE RBAC: https://docs.docker.com/ee/dtr/admin/manage-users/permission-levels/.

edited Oct 15 '18 at 16:37

answered Oct 15 '18 at 15:46

andov

121
8

Hi, we want all the users to pull and push , but only from our CI server , but all the users should be able to browse the DTR UI from anywhere. – Ijaz Ahmad Oct 15 '18 at 18:13
Maybe we can server the UI on port 80 and the API on port 443 ? so that we do the ACL thing? – Ijaz Ahmad Oct 15 '18 at 18:19
During each build how do you manage the interaction between the CI server and DTR from user perspective? For example: does a user log in to DTR before pushing an image? – andov Oct 15 '18 at 19:40
User use thier DTR credentials to pull and push to DTR from CI server , but we want to make sure that users push to DTR only from CI server – Ijaz Ahmad Oct 15 '18 at 19:50
Also , users should be free to pull from DTR to anywhere, for doing deployments – Ijaz Ahmad Oct 15 '18 at 19:51
But we want the users to pull from DTR only , on CI server – Ijaz Ahmad Oct 15 '18 at 19:52
Running an Nginx, for example, web server in front of the DTR in reverse proxy mode and restricting the only HTTP method related to the push operation of an image to be possible from a whitelisted sources (CI server). For everything else, just normal proxy. How this sounds to you? – andov Oct 15 '18 at 20:51

Restrict push and pull to docker trusted registry DTR

1 Answers1