Enforce Specific Base Image


I am currently running a private registry backed by S3. I tried searching around and couldn’t find any information about this topic, but if there is, please link it to me.

I would like to enforce that all images pushed to my registry are based off of a certain image (either directly or indirectly).

For example, let’s say I want all images based off of the 3-alpine tag of the python image. I have this Dockerfile

FROM python:3-alpine
RUN echo

I would allow this image to be pushed to my registry because it uses my whitelisted base image. However, this one would be rejected

FROM python
RUN echo

because it doesn’t use the correct tag (if it didn’t use the python image at all it would also be rejected).

I do want to support indirect base images as well. For example, if in my first image above that succeeded, it was tagged as mynewimage:latest. This image would work

FROM mynewimage:latest
RUN echo

because although it does not directly use my whitelisted image, it still has those layers. Using the registry API I was able to confirm that I can just look for the layers required for my whitelisted base image. However, the part I am stuck at is how to enforce this during a push. I could accomplish this with notifications, but that is not preferred as that wouldn’t prevent a push it would just allow me to delete it after the fact.

Any help or direction is appreciated.