Not able to set all repos as immutable and excluding some repos

[jessehu]

If you are reporting a problem, please make sure the following information are provided:

Expected behavior and actual behavior: It's not able to deny all tags as immutable with some exception tags.

Steps to reproduce the problem:

With the above rules, all tags are immutable, the 2nd excluding rule does not take effect.

Versions: Please specify the versions of following systems.

• harbor version: [2.8.2]
• docker engine version: [y.y.y]
• docker-compose version: [z.z.z]

Additional context:

• Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory.
• Log files: You can get them by package the /var/log/harbor/ .

[wy65701436]

Thanks @jessehu

It is an by designed behavior, as mentioned at https://goharbor.io/docs/2.8.0/working-with-projects/working-with-images/create-tag-immutability-rules/. Immutability rules use OR logic, so if you set multiple rules and a tag is matched by any of those rules, it is marked as immutable.

[jessehu]

So how to archieve the goal for set all repos as immutable and excluding some repos ? This should be a common use case.

[wy65701436]

You can set specific rules to protect the repositories or tags that you want to safeguard.

By using the OR logic, you ensure that the immutable repositories remain unaffected by other rules. Like, if admin A wants to protect repo A, but admin B has excluded repo A without admin A's knowledge, employing the OR logic prevents any interference with repo A.