Best way to whitelist DockerHub and Quay.io firewall rules

[jlewi]

On private deployments we want to deny all external traffic by default. One of the exceptions is to allow traffic to DockerHub so we can pull docker images stored there.

Right now we do this just by creating a firewall rule that whitelists traffic to the dockerhub site. We get the ips just by testing the domains e.g.

nslookup index.dockerhub.io
nslookup dockerhub.io
nslookup registry-1.docker.io

I don't think there is any guarantee that these IP addresses are static.

Opening this issue to track whether we can come up with a better solution.

[issue-label-bot[bot]]

Issue-Label Bot is automatically applying the labels:

Label	Probability
platform/gcp	0.96

Please mark this comment with :thumbsup: or :thumbsdown: to give our bot feedback! Links: app homepage, dashboard and code for this bot.

[jlewi]

See: https://support.sonatype.com/hc/en-us/articles/115015442847-Whitelisting-Docker-Hub-Hosts-for-Firewalls-and-HTTP-Proxy-Servers

[jlewi]

Ran into the same problem with quay. For quay looks like domains are

nslookup quay.io
nslookup cdn.quay.io

[jlewi]

I was able to get dockerhub.io to work but unsuccessful with quay.io.

[dennisTGC]

i had the same problem, it went away after i added cdn01.quay.io and cdn02.quay.io. I have seen people add *.quay.io too if your proxy/fw supports it.

[odupuy]

don't forget cdn03.quay.io

nothing after 03 at this point