xaleeks
commented
3 years ago can you expand? how does this save a lot of replication rules? @phin1x
Open phin1x opened 3 years ago
xaleeks
commented
3 years ago can you expand? how does this save a lot of replication rules? @phin1x
phin1x
commented
3 years ago If i create a proxy project (for example docker hub), all users with pull permission can pull all images from the proxied registry. if i want to limit the images, which can be pulled (for example only dockerhub library images should be allowed), i cannot use the proxy cache project type. in our company, images from third party registries like dockerhub, quay, gcr, gitlab and so on are forbidden by default and images need a security check befor they are allowed to be used. To ensure that, we create a replication rule for every granted image (about 30 rules at the momement, ascending trend). if we can limit the images, which can be pulled through a proxy cache project, this would save us a lot of replication rules, especially if the whitelisting would be based on wildcard filters.
rayisbadat
commented
3 years ago I would just like to add my +1 to this feature request.
Currently i am syncing about 30+ repos from dockerhub. But if there was a Name like feature on the proxy cache as there is for the normal replications i could get rid most of those. Ex: Name: library/** or Name: library/{alpine,centos,ubuntu} . It would would allow me to proxy official docker hub images, and prevent random people's personal images.
nnsense
commented
3 years ago This feature would allow us to open the proxy to internet without worrying about people using our proxy to circumvent docker hub restrictions.
github-actions[bot]
commented
2 years ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
Danielkem
commented
1 year ago I also believe that this feature would be of great value. A common setup would be to host a Harbor instance on a cluster and set policies to only allow pulling images from that Harbor instance for security reasons. However, it would be quite redundant in many cases to also replicate all images that are maintained by some known and trusted publisher. In this case I would like to define a proxy cache to a single Docker Hub publisher/user/project/repository while not opening up the ability to pull images from any public repository that is hosted at Docker Hub.
Is anyone looking at or working on implementing this kind of feature?
pafra
commented
1 year ago We would need this feature too!
blackaichi
commented
1 year ago This feature will be really useful!
AYDEV-FR
commented
1 year ago +1 I need this feature too. And this feature can be add with it
hri-op
commented
1 year ago +1 We need also this feature.. otherwise we use replication to replicate only the images we want to be present in our local harbor registry.
damon-xu01
commented
9 months ago +1 We need this feature as well.
gauthiersiri
commented
7 months ago That would be amazing! +1
caimez
commented
3 months ago +1 Agreed! Another idea to add here would be image scanning at time of proxy pull and potential refusal of the image if there are a certain number of low, medium, high vulnerabilities.
atchadwick
commented
1 month ago +1 Would love to see this feature, especially with the continued focus on security for images, being able to whitelist a proxy cache is a nice balance of accessibility for users without the need to keep a huge replication rule list or pre pull a bunch of unused images.
lukeelten
commented
1 month ago +1 Would love to see this feature, especially with the continued focus on security for images, being able to whitelist a proxy cache is a nice balance of accessibility for users without the need to keep a huge replication rule list or pre pull a bunch of unused images.
I agree with @atchadwick . This feature would greatly increase our security measures against malicious images.
gira0
commented
1 month ago +1
This would definitely be a helpful feature to ensure only trusted sources from docker hub would be available, right now. Every few weeks there's another article about the rise of malicious images on docker hub since it's the defacto default registry.
paspflue
commented
6 days ago +1
With the new version of Harbor it can now be used as a proxy cache. As administrator I would like to have the possibility to restrict the images that are pulled (whitelist). This would save us a lot of replication rules.