In docker EE , is there a way to allow push and pull to DTR from specific machines while keeping the web UI access the same as normal?
- The use case is we would like to enforce the use of standard base images from DTR only in docker builds
And we would like to enforce the docker image builds only on standard docker build machines where docker content trust is enabled
Allowing only these commands: docker pull , docker build , and docker push on CI server
Effectively enforcing the users to use the base images from DTR only. If they build the image somewhere else they wont be able to push it , and if they build it on our CI server it will make sure they will be able to pull base image only from DTR and not from somewhere else , this will also make sure they build it with docker content trust enabled.
I experienced a similar use case and below I share with you how I restricted the pull, push actions perimeter on DTR:
Configure: who have permissions to perform certain actions on the Registry objects and to load Docker images through the UCP web UI; this results in giving specific grants to users and/or teams.
Configure: from where the users (humans and/or automation bots) can perform registry actions, by adding specific firewall rules at a networking level by the Network Administrator.
Restrict the pull actions only from a specific registry, update the file, at the following path on your Docker host file system, /var/lib/docker/daemon.json adding the URL of DTR:
Finally, I got: allow only to specific users to push Docker images inside DTR repositories and only from a location that is whitelisted by the networking ACLs.
Some references:
How to configure the Docker daemon: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file;
An RBAC example: https://success.docker.com/article/rbac-example-overview;
The DTR default permissions supported by the Docker EE RBAC: https://docs.docker.com/ee/dtr/admin/manage-users/permission-levels/.