0

We (mostly) push docker images (containing maven builds) with semantic version tags to our Azure Container Registry (ACR), e.g. my-cool-app:1.0.0-SNAPSHOT. As in the maven-world suggested, a SNAPSHOT is a work in progress built, which may or may not gets overwritten any time ...

I am thinking of a dedicated ACR, which is used for production environment only. This ACR shall contain only released images, meaning no SNAPSHOT shall be contained in the image tag. I couldn't find any useful information if there is some sort tag naming policy, basically denying any kind of deploys containing SNAPSHOT, besides locking the images. Is there no way to define such rules on the ACR, or do we have to check that "programmatically" within the build/release pipeline?

sl3dg3
  • 5,026
  • 12
  • 50
  • 74

1 Answers1

0

There is not any document with naming policy before pushing the images to container registry but for workaround you can use of Content trust in Azure Container Registry

Azure Container Registry implements Docker's content trust model, enabling pushing and pulling of signed images. This article gets you started enabling content trust in your container registries.

As an image publisher, content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images. When an image consumer pulls a signed image, their Docker client verifies the integrity of the image. In this model, consumers are assured that the signed images in your registry were indeed published by you, and that they've not been modified since being published.

This Content Trust will help to deny to push the images in Container registery as they might be not signed images to use as on production environment or in Azure Contaier Registry

For more information how to assign AcrImageSigner Role in the Container Registry You can refer this Mircosoft Document

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11