0

I am trying to convince my management to allow use of Docker in the organization, but they are worried someone could make an image and push it to their private repositories.

Could we allow use of Docker, allow images to be pulled, but disable Docker login and Docker push?

Dave M
  • 4,514
  • 22
  • 31
  • 30
Pongal
  • 3
  • 2
  • 1
    Explain to your management that even if you prevent docker pushs, there are more than enough alternate methods to transfer data to private storage. – Gerald Schneider Jul 14 '20 at 10:53
  • I don't understand. Allowing the use of Docker is a client side matter, docker push is a server side matter, i.e. the server requires authentication and authorization. Without server side AuthN and AuthZ the client can't do anything. – bviktor Mar 19 '23 at 18:13

1 Answers1

1

The Docker registry uses a HTTP API. docker push uses PUT, PUSH and PATCH HTTP methods. To allow docker pull and block docker push a firewall solution which inspects the HTTP requests would be necessary.

But even if docker push is blocked by a firewall it would still be possible to use docker save to create a local image archive which could then be saved on a USB stick or transferred out of the company network via email, etc.

To get some level of security one could consider blocking access to the docker.io registry to prevent accidental push commands, run a private registry and only use a private base image.

On Linux you can configure something like this:

BLOCK_REGISTRY='--block-registry=all'
ADD_REGISTRY='--add-registry=registry.access.redhat.com'

However it seems that these settings haven't been implemented in Docker for Windows.

tinlyx
  • 119
  • 8
Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39
  • Private registry seems to be the way to go. We can use a laptop that has full access for download images that we often use and push them to private repository, which can be used by all developers. Thank you.. – Pongal Jul 14 '20 at 10:54
  • Yes, that is a possible way to do that. Ideally you have a Jenkins (or similar) pipeline to keep the base image updated. – Henrik Pingel Jul 14 '20 at 11:00
  • Docker authorization is not a thing. Once you have Docker, you can gain sudo rights anytime. There's no way to block it. Not even with plugins. It's a horribe design and I've been looking for an answer for years, but there just isn't one. What I'm trying to say is that you can configure your Linux system all day, but if you give Docker rights to someone, be aware that there's absolutely nothing preventing them from overriding your configuration, if they want. – bviktor Mar 19 '23 at 18:38