Allowlists and Blocklists for OCI media types in the Container Registry
Problem to solve
Currently, any OCI media type my be pushed up to the container registry, whether the backend or frontend work is in place to support it.
Intended users
Further details
There's a PR and discussion for this feature upstream: #30669 (comment 215851809)
Proposal
We should adapt the above PR to conform to the upstream reviewer notes on using lists of strings, rather than lists of regexes.
We could potentially ask the upstream author to contribute this.
Permissions and Security
Documentation
The container registry configuration documentation would need to be updated to reflect these new options.
Testing
There should be tests to ensure that the previous behavior (all media types allowed) is preserved when the allowlist and blocklist are left unconfigured.
Tests to ensure expected media types are permitted or blocked based on several combinations of allowlist and blocklist.
What does success look like, and how can we measure that?
Administrators are able to control what media types are allowed to be uploaded to the container registry.