Skip to content

Protected containers: Push protection for container repositories

Context

This is part of Container Registry: Granular protection for rep... (&9825). See this epic's description for context. Here we'll focus on the described Push protection.

Change

backend rails

  1. Add a new model to represent container registry protection rules on the Rails side (container_registry_protection_rule table) to denote when container images are protected against push, see 133297;
  2. Allow frontend calls triggered by project owners/maintainers to adjust existing container registry protection rules for individual repositories;
  3. When a user requests a JWT token to allow them to push against a given image repository, Rails should (within the container registry auth service) check if the corresponding repository is protected against push and refuse the request if so, effectively protecting the repository and all images within;
  4. When a user requests a JWT token (based on a deploy token) to allow them to push against a given image repository, Rails should also consider the deploy token Rails should (within the container registry auth service) check if the corresponding repository is protected against push and refuse the request if so, effectively protecting the repository and all images within;

frontend UX

  1. Create a new project configuration section/setting where users can see the list of container registry protection rules. Requires UX Design;
  2. Allow project owners/maintainers to adjust the container registry protection rules for individual projects, similar to protected branches and tags;
  3. Display a special label (?) alongside container repositories with push protection enabled in the repository list view. Requires UX Design.

documentation

  1. Make it clear that changes to the container registry (push) protection rules will take up to N minutes to come into effect, where N is the configured JWT token expiry.
  2. Make it clear that push protection rules does not apply to tag cleanup policies, those act on individual tags, this protection is for the repository as a whole.
  3. Make aware of potential limitations, e.g. 255 character limitation for container_path_pattern.
Edited by Gerardo Navarro