Allow protecting container repositories against writes

Problem to solve

The following permissions are available to all developers of a project:

• Update a container registry
• Remove a container registry image
• Publish to Conan repository, Maven repository, or NPM registry

There is currently no way to limit this.

The following features are already available to protect the release process:

• Protected Branches
• Protected Tags
• Protected Environments
• Protecting Pipeline Settings by hosting .gilab-ci.yml in a separate project

Using these features one can protect every aspect of the release process, except the actual result (container or package). This means any developer of the project can:

• Delete a container or package that was created by a protected release process.
• Overwrite a container or package that was created by a protected release process.

Intended users

• Devon (DevOps Engineer) will restrict the access to container registries and package repositories as part of implementing a secure CI/CD approach.
• Sam (Security Analyst) will validate that the access to container registries and package repositories was restricted to verify that the CI/CD approach was implemented securely.

Proposal

Add configuration options for restricting all actions except read (create, update and delete) on container registries similar to the existing Protected Branches, Protected Tags and Protected Environments.

The configuration options can be put under Project Settings -> General -> Visibility, project features, permissions ->

• Container registry
• Packages

A control can be put next to the checkbox. Similar to the other controls in this section.

Out of Scope

This issue is about protected repositories, not protected tags. Support for tag immutability is being tracked at container-registry#82 (closed).

Permissions and Security

This change would align the ability to configure permission settings for container registries and package repositories with the existing approach to protected assets.

What does success look like, and how can we measure that?

Container registries and package repositories can be properly protected.

What is the type of buyer?

Either Starter/Bronze or Premium/Silver:

• Protected Branches is Starter/Bronze.
• Protected Tags is Starter/Bronze.
• Protected Environments is Premium/Silver.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.