Closed phj-incom closed 5 months ago
northtyphoon
commented
9 months ago The image push process (eg, docker push myregisty.azurecr.io/myimage:mytag) needs to read the content from the registry so even your intention is write-only but it actually still needs the permission for read operation.
phj-incom
commented
9 months ago The image push process (eg, docker push myregisty.azurecr.io/myimage:mytag) needs to read the content from the registry so even your intention is write-only but it actually still needs the permission for read operation.
I see, that’s what I feared. I have 14 teams that should not be allowed to pull or push to each others’ images. Is my only solution really 14 registries in azure or use another container registry that supports some kind of namespace separation?
My idea for a solution with a push-only token included the immutable feature as well as image signing and verification, so team A in kubernetes namespace A can only deploy images signed with a private key scoped to their GitHub repos. I would really like to not have the management overhead and price of 14 registries.
sajayantony
commented
7 months ago @phj-incom are you looking to just lock down repositories to teams since I understand a registry per team is doesn't sound feasible. ? If it is about providing permissions to just specific repositories then currently the only option is https://aka.ms/acr/tokens . But this isn't on AAD and the AAD solution is in the works. Including @johnsonshi for AAD based repository permissions.
phj-incom
commented
7 months ago @phj-incom are you looking to just lock down repositories to teams since I understand a registry per team is doesn't sound feasible. ? If it is about providing permissions to just specific repositories then currently the only option is https://aka.ms/acr/tokens . But this isn't on AAD and the AAD solution is in the works. Including @johnsonshi for AAD based repository permissions.
My problem is that I have 600 repositories in total and some teams have up to a hundred repositories. I need a way to create tokens based on the namespace in the registry.
Also, will it be possible to use the content trust feature with images signed by cosign instead of notary?
cegraybl
commented
7 months ago @phj-incom how is the structure of your repositories? if it's hierarchical the Tokens feature that Sajay mentions could help.
You can define Token1 to only have access to team-a/* and Token2 to only have access to team-b/*
We are in the process of merging the documentation, but the feature is live now. Please let us know what you think.
johnsonshi
commented
7 months ago @phj-incom, ACR has 2 upcoming features that will enable your scenario.
With Tokens and Scope Maps (documented by @cegraybl above), you can do so but its auth mechanism isn't AAD based. That may fit your scenario if its more IOT oriented or your consumer will not have an SP or managed identity.
If you need AAD-based auth:
With AAD ABAC feature that ACR is working on, you can grant AAD role assignments and attach conditions so that the role assignment only kicks in if certain conditions match. For instance, you could grant one of write, read, or delete permissions (or all three), to a specific AAD identity (SP/MI/user/group), but only apply the role assignment for repos where the repo name matches team-a/*. For an idea of how ABAC would pan out, check out Storage Account's ABAC experience.
https://learn.microsoft.com/en-us/azure/role-based-access-control/conditions-overview
I want to be able to only push container images (not pull) to the registry. This is done with the immutable option turned on, and for usage in github actions.
I have tried creating a custom role and following the guide on how to authenticate with a service principal with the
"Microsoft.ContainerRegistry/registries/push/write"permissions, but without luck.