Skip to content

Protected Container Tags

Protected Container Tags

Overview

The Container Registry lacks a feature to enforce protection on specific image tags. This means that users with Developer-level access or higher can overwrite important tags like latest or version-specific tags such as v1.2.3, increasing the risk of accidental or unauthorized modifications. The Protected Tags feature addresses this gap by ensuring only authorized users can modify key tags.

Why It Matters

For Platform Engineers:

  • Prevent accidental overwrites of production-ready images
  • Enforce governance over critical container images
  • Maintain consistent deployment artifacts
  • Reduce incidents caused by container image tampering

For Software Developers:

  • Clearly distinguish between tags that can be modified freely during development and those that require higher permissions
  • Maintain confidence in the integrity of release artifacts
  • Avoid unintentional breaking changes to shared container images

How Protected Tags Differs from Tag Immutability

While both features maintain image integrity, they serve different purposes:

  • Protected Tags: Restricts who can push or modify certain tags based on roles
  • Tag Immutability: Ensures that once a tag is created, its content cannot be modified by anyone

These features complement each other but solve distinct problems in the container lifecycle management process.

Proposed Implementation

Configuration Parameters

In the project settings, Owners can configure this feature using:

  • Minimum role: Defines the minimum user role required to create, update, or delete specific tags
  • Tag name pattern: A regex pattern that determines which tags the rule applies to
  • Operation type: Separate policies for push (creation/update) and delete operations

Multiple configurations can be defined, allowing different roles and tag patterns policies.

Example Configuration

To restrict the creation or update of latest and semantic versioning tags to Maintainer+ roles:

  • Minimum role for push: Maintainer
  • Tag pattern: ^(latest|v\d+\.\d+\.\d+)$

This would prevent Developer-level users from modifying these tags while allowing them to work with other tags (e.g., feature branch tags like feature-123).

Scope

These policies will initially apply to all container repositories under a project, but future iterations could potentially allow different policies for each repository.

Technical Implementation

The feature requires changes to both the application and the container registry to:

  1. Store and manage protection rules
  2. Communicate these rules securely to the registry
  3. Enforce tag protection during push and delete operations

This will be achieved by enhancing the JWT authentication flow between the application and the registry, adding tag access patterns to the tokens used for authorization.

Benefits

  • Reduced Risk: Prevents accidental or unauthorized modifications to critical tags
  • Clear Governance: Provides transparent policies about who can modify which tags
  • Complementary Security: Works alongside existing features like Tag Immutability
  • Flexible Configuration: Allows granular control through regex patterns and role-based access
Edited by 🤖 GitLab Bot 🤖