We are using Azure IoT Edge in a nested edge configuration for devices at L3 with parents at our top level L4.
Regarding the top level docker registry module we have deployed at the L4 parents, this appears to be wide open and we’re concerned with anyone with access to the L4 port the registry is running on being able to read, write & delete images from this repository.
We have deployed the top level docker registry container as outlined here.
I know the registry “delete” option is disabled by default, but I didn’t see an obvious way to make the registry module read only without possibly breaking the caching feature used by IoT edge?
I also saw there is a "connected registry" in the Azure Container Registry which looks like a preview feature that may address some of our security concerns but we are using JFrog as our registry currently that our top level access to pull images from so switching to Azure container registry won't work.
How can we secure the top level docker registry module? If we add authentication to it, how do we make sure lower level edge devices can still pull images from $upstream?
