I’ve been looking for a way, preferably dockerd configuration of some type, that let’s me control which registries are referenced on a “pull”.

The reason for this is to prevent production from pulling an image from a public repository (or any repository than our internal repositories). A simple mechanism would make our InfoSec department happy.

If application config doesn’t exist (I’m skeptical, I don’t think it does), then any practical experience from people who have done this in production is appreciated (e.g. firewall? forward http proxy?).