I am currently running a private registry backed by S3. I tried searching around and couldn’t find any information about this topic, but if there is, please link it to me.
I would like to enforce that all images pushed to my registry are based off of a certain image (either directly or indirectly).
For example, let’s say I want all images based off of the 3-alpine tag of the python image. I have this Dockerfile
FROM python:3-alpine RUN echo
I would allow this image to be pushed to my registry because it uses my whitelisted base image. However, this one would be rejected
FROM python RUN echo
because it doesn’t use the correct tag (if it didn’t use the python image at all it would also be rejected).
I do want to support indirect base images as well. For example, if in my first image above that succeeded, it was tagged as mynewimage:latest. This image would work
FROM mynewimage:latest RUN echo
because although it does not directly use my whitelisted image, it still has those layers. Using the registry API I was able to confirm that I can just look for the layers required for my whitelisted base image. However, the part I am stuck at is how to enforce this during a push. I could accomplish this with notifications, but that is not preferred as that wouldn’t prevent a push it would just allow me to delete it after the fact.
Any help or direction is appreciated.